Threat Actors Are Targeting Victims with WinRAR

Threat actors of Chinese and Russian descent are targeting victims with WinRAR. And with that being said, it simply means that WinRAR now has a major security flaw and users have now been advised to patch it right now.

Threat Actors Targeting Victims with WinRAR

Threat Actors Targeting Victims with WinRAR

Russian and Chinese state-sponsored threat actors have just recently been discovered reportedly abusing a known vulnerability in the popular archiving tool and service WinRAR in a bid to extract sensitive information like passwords as well as other login credentials.

Google’s Threat Analysis Group (TAG), which normally tracks and then analyzes state-sponsored hacking players, reportedly claims to have found evidence that the flaw in question, which was identified earlier as CVE-2023-38831 by Group-IB, was being utilized to hide malware in archived files.

To the average user, the files in question would look very much similar to your average image, or text document. However, when it has been downloaded and extracted, they would then infect the device with infostealing malware, which is capable of getting access to different files and information from the endpoint, like passwords and payment data that are stored in browsers, various system information, and many more.

Players Behind The WinRAR Attacks

And to make things worse, this in question is not just one or two groups targeting users of WinRAR apparently, as it has been reported to be “multiple” groups targeting “many users” who are still yet to apply the already released patch.

The patch however does exist, RarLab, which is the company that is behind WinRAR, reportedly released version 6.23 in the early parts of August this very year, in a bid to address the said issue. However, there is no way to update the program from within. Users will need to head over to the website of WinRAR, download the latest version, and then run the installer as if it is that they are installing the program from scratch.

Why Users Should Patch Now

Users will really want to patch, though, as one of the groups in question was reportedly identified as Sandworm, which is a Russian military intelligence unit that allegedly interfered with the 2016 presidential elections that took place in the United States. The group in question was also observed as quite an active player in the Russia-Ukraine war that is ongoing and was also behind the infamous 2017 NotPetya ransomware attack.

The Other Identified Player in the Attack

Another identified player in the attack is APT40. This is a Chinese hacking collective that is allegedly tied to the Chinese Ministry of State Security. It made use of the flaw to directly target endpoints in Papua New Guinea through a Dropbox link.

The WinRar vulnerability as you should know “highlights that exploits for known vulnerabilities can be highly effective”, researchers at TAG concluded.



Please enter your comment!
Please enter your name here