APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack.

According to Google’s Threat Analysis Group (TAG), the group exploiting the vulnerability comprises Sandworm, Fancy Bear, and APT40, all associated with the Russian government and military.


Google’s TAG researchers have found that government-sponsored hackers are actively exploiting an already discovered WinRAR vulnerability.

This vulnerability lets hackers execute arbitrary code on the targeted device.

Attackers can steal sensitive data, hijack the victim’s computer, and install malware.

State-sponsored actors from a number of countries are exploiting this vulnerability in their malicious operations.

Google has urged users to immediately apply the latest WinRAR patch to prevent their devices from being invaded by state-backed actors.

Organizations must protect their networks by implementing a robust vulnerability management program and deploying endpoint security solutions.

On August 25, 2023, Hackread.com reported a 0-day vulnerability in WinRAR, which was actively exploited worldwide, targeting 130 traders to successfully steal funds. It has now come to light that the vulnerability continues to be exploited, despite the availability of a security patch.

Google’s Threat Analysis Group (TAG) has discovered that state-backed threat actors are continuously exploiting a known vulnerability in the popular file archiver tool for Windows, WinRAR. The vulnerability is tracked as CVE-2023-38831, and it was exploited for the first time in early 2023 by cybercrime groups before it was identified by defenders. Now state-backed actors are exploiting it. Until August, this bug was exploited as zero-day. It was first reported by Group-IB researchers.

TAG’s Kate Morgan wrote in the report published on 18 October that despite that a patch was released soon after it was discovered, many devices remain unpatched and are vulnerable to exploitation. This is probably because the WinRAR tool doesn’t have an auto-update feature. It was fixed in WinRAR versions 6.24 and 6.23. Users have to download the patch manually.

Regarding the state-sponsored actors exploiting the WinRAR bug, TAG noted that three different clusters of attackers are involved. These include Sandworm aka FROZENBARENTS, Russian APT28 aka Fancy Bear or FROZENLAKE, and APT40 aka ISLANDDREAMS

For your information, Sandworm is affiliated with the Russian Armed Forces’ Main Directorate of the General Staff Unit 74455 and likes to target the energy sector. The Ukrainian drone-based email campaign Sandworm launched on September 6th exploits this bug to deliver a ZIP archive file

APT28 is also linked to the same unit but focuses on targeting Ukrainian government entities with a spearphishing campaign. APT40 is associated with the Chinese government and exploited this bug in late August to launch a phishing campaign targeting Papua New Guinea.

APTs Exploiting WinRAR 0day Falw Despite Patch Availability

This vulnerability lets attackers execute arbitrary code on their targeted device by tricking the victim into opening a specially designed PNG file with a ZIP archive, leading to the stealing of sensitive data, installation of malware, or hijacking of the infected device. Since April 2023, cybercriminals have actively used this bug to target cryptocurrency trading accounts. 

APTs Exploiting WinRAR 0day Falw Despite Patch Availability

“A logical vulnerability within WinRAR causing extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces.”

Google’s Threat Analysis Group (TAG)

This widespread exploitation highlights that “exploits for known vulnerabilities can be highly effective, despite a patch being available” and indicates the importance of prompt application of security patches. 

Update Your WinRAR Installer to the Latest Version

To safeguard your system and personal data from potential threats, it’s crucial to keep your WinRAR installer up-to-date with the latest version. Updating your WinRAR software ensures that you have the latest security patches and enhancements, significantly reducing the risk of falling victim to cyberattacks.

You can get WinRaR’s latest version on its official website. Don’t wait – stay protected by regularly checking for updates and applying them as soon as they become available. Your digital security depends on it.

  1. The Best Way to Install and Set-Up WinRAR 64-bit
  2. WinRAR vulnerability allowed attackers to remotely hijack systems
  3. Hackers are using 19-year-old WinRAR bug to install nasty malware
Related Posts