Authors: Shilpesh Trivedi and Nisarga C M
In April 2023, the cybersecurity community faced a significant challenge with the discovery of CVE-2023-38831, a vulnerability affecting versions of WinRAR prior to 6.23. This security flaw has become a critical concern due to its exploitation by various advanced persistent threat (APT) groups, who have used it to gain control of victim systems through deceptive methods.
The methods employed by these APT groups have been notably creative and insidious. They have been exploiting this vulnerability by embedding malicious executables within commonly used file types, such as PDFs and JPGs, within ZIP archives. This tactic allows attackers to install malware on a user's device without arousing suspicion, as the victim believes they are interacting with a harmless file.
The exploitation of CVE-2023-38831 has not been limited to any one region. Instead, it has seen a global spread, with threat actors including APT groups like DarkMe, UAC-0057, APT40, Konni, and SandWorm. These groups have strategically targeted various sectors, including trading, government, energy, and the cryptocurrency industry, across multiple countries.
In this blog, we further describe how each APT group has employed unique tactics to exploit this vulnerability. These tactics range from using phishing emails containing malicious ZIP files to deploying different families of malware, each targeting specific industries and countries.
In addition to the exploitation tactics, this blog provides detailed insights into various types of malware disseminated through this exploit. This includes malware like DarkMe, GuLoader, Remcos, Agent Tesla, PicassoLoader, and Rhadamanthys, each with its distinct functionalities and targets.
Updating to the latest WinRAR version is of critical importance as a mitigation strategy against CVE-2023-38831.