Russia and China-linked hackers exploit WinRAR bug

Hackers connected to the governments of Russia and China are allegedly using a vulnerability in a popular Windows tool to attack targets around the world, including in Ukraine and Papua New Guinea.

Google’s Threat Analysis Group’s (TAG) said that in recent weeks it has seen multiple government-backed groups exploiting CVE-2023-38831, a vulnerability affecting the Windows file archiver tool WinRAR.

The bug, which has been patched, was initially exploited by criminal groups throughout early 2023.

“TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations,” Google said.

TAG researchers said they saw a Russian hacking group they call FROZENBARENTS —- allegedly housed within the Russian Armed Forces’ Main Directorate of the General Staff (GRU) Unit 74455 —- launch an email campaign on September 6 attempting to impersonate a Ukrainian drone warfare training school.

Using an invitation to join the school as a lure, the email contained a link to a benign PDF document and a malicious ZIP file that exploits CVE-2023-38831.

The payload came with malware known as Rhadamanthys that allows hackers to steal browser credentials and session information among other things.

They noted that the use of this infostealer, which is typically rented in 30-day increments by cybercriminals for about $250, was not typically used by FROZENBARENTS in other attacks tracked by Google’s team earlier this year.

Google’s report notes that on September 4, Ukrainian cybersecurity officials at CERT-UA warned that the GRU was using CVE-2023-38831 to deliver malware targeting energy infrastructure.

China targeting Papua New Guinea

Google’s researchers also saw government-backed groups in China exploiting CVE-2023-38831 in phishing campaigns targeting organizations in Papua New Guinea.

Google attributed the activity to APT40, which they refer to as ISLANDDREAMS.

The emails contained a Dropbox link with a malicious ZIP archive that contained a decoy PDF. The ZIP archive contains ISLANDSTAGER, a tool developed by the hackers to maintain their access to an exploited system.

The U.S. Department of Justice indicted four members of APT40 in 2021 for wide ranging campaigns targeting organizations across Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the United Kingdom.

The group was also allegedly involved in stealing data from research institutes and universities, often targeting infectious-disease research related to Ebola, MERS, HIV/AIDS, Marburg, and tularemia.

Researchers have warned of cybercriminals using CVE-2023-38831 in attacks since April. Hackers used it to target financial traders to deliver various commodity malware families.

“The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available,” Google said.