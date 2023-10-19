Google’s Threat Analysis Group (TAG) says several state-backed hacking groups are exploiting a high-severity vulnerability in older versions of WinRAR — compression software over 500 million people use.

These attackers aim to gain arbitrary code execution privileges on victims’ systems by exploiting the vulnerability.

TAG has observed that state-backed hackers from several countries, including the Sandworm, APT28, and APT40 groups from Russia and China, are exploiting the vulnerability.

“In recent weeks, Google’s TAG has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows,” said Google TAG.

“A patch is now available, but many users still seem to be vulnerable. TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations.”

The WinRAR vulnerability has been actively exploited as a zero-day since April 2023. Threat actors attempt to gain access to targets’ systems by tricking them into opening malicious RAR and ZIP archives.

The bug has been used to deliver various malware payloads, including DarkMe, GuLoader, and Remcos RAT.

In an attack in September, the Russian threat group Sandworm distributed Rhadamanthys infostealer malware via fake invitations to a Ukrainian drone flying school.

APT28 attackers targeted Ukranian users through exploits hosted on a server provided by a free hosting provider. They used a malicious IRONJAW PowerShell script to make off with browser credentials.

Researchers also observed attacks against targets in Papua New Guinea from the Chinese threat group APT40.

The threat actors distributed ISLANDSTAGER and BOXRAT, letting them establish long-term access to infected systems.

