Several nation-state actors associated with Russia and China have been abusing a high-severity flaw in the WinRar file archiver utility as part of their operations, Google’s Threat Analysis Group (TAG) reported.
Tracked as CVE-2023-38831, the flaw could be exploited by a remote attacker using a specially crafted archive with executable malicious files designed to spoof a file extension to look like .jpeg or .txt
The TAG team said they observed a Russian military hacking unit they track as Frozenbarents, which is more commonly known as Sandworm, using the WinRAR vulnerability as part of a phishing campaign impersonating a Ukrainian drone warfare training school.
The malicious email contained a link to an anonymous file-sharing service, fex[.]net, which delivered a benign decoy PDF document with a drone operator training curriculum and a malicious ZIP file exploiting CVE-2023-38831 to deliver Rhadamanthys infostealer capable of collecting browser credentials, session info and other data. The malware is offered on a subscription basis and can be rented out for as low as $250 for 30 days.
Another well-known Russian threat actor Frozenlake aka APT28 and Fancy Bear, has also taken advantage of CVE-2023-38831 as part of a campaign targeting Ukraine’s energy infrastructure facility. The threat actor used a free hosting provider to host CVE-2023-38831 exploits and deployed a malicious PowerShell script called IronJaw to steal browser credentials.
Separately, cybersecurity firm Cluster25 observed APT28 using the WinRAR flaw in a credential harvesting campaign.
Besides Russian threat actors, Chinese hackers, namely APT40 (IslandDreams) exploited CVE-2023-38831 in a phishing campaign targeting Papua New Guinea. In this attack, the hackers deployed the IslandStager and Boxrat backdoors to establish persistence on compromised systems.
Separately, Microsoft has warned that two North Korean threat actors it tracks as Diamond Sleet (aka Zinc) and Onyx Sleet (Plutonium) have been observed exploiting a remote code execution vulnerability (CVE-2023-42793) affecting the JetBrains TeamCity build management and continuous integration server.
The Diamond Sleet attacks exploited the flaw to deploy the Forest Tiger backdoor to establish persistent access to the target system, while Onyx Sleet created a new user account on the compromised system with administrator-level access.
