WinRAR Vulnerability banner

Intrusion Alert: WinRAR Vulnerability Exploited in Sophisticated Phishing Attack

3 Mins Read

PUREVPNNewsIntrusion Alert: WinRAR Vulnerability Exploited in Sophisticated Phishing Attack

A recent security breach involving the exploitation of a disclosed vulnerability in the widely used WinRAR archiving utility has put users at risk. 

Pro-Russian hacking groups have leveraged this security loophole in a phishing campaign to dig out sensitive credentials from compromised systems.

Content of the malicious RAR file

The Attack Unveiled

Cluster25, a cybersecurity authority, has reported that the attack hinges on manipulating malicious archive files capitalizing on the newly revealed vulnerability found in WinRAR versions preceding 6.23, identified as CVE-2023-38831.

Within the manipulated archive lies a concealed PDF file, which, once activated, triggers a Windows Batch script execution. 

Batch file script

This script subsequently deploys PowerShell commands, ultimately establishing a reverse shell, thus providing the malicious actor with remote access to the compromised host.

Data Theft in Progress

Furthermore, the cyber attackers have incorporated a PowerShell script into their arsenal. 

What’s the purpose? That’s malicious!

  • Leak sensitive information, including login credentials, stored in the Google Chrome and Microsoft Edge browsers. 
  • transmit through a legitimate web service at webhook.site.

But wait, there’s more to this tale of digital deception! 

CVE-2023-38831 – A High-Severity Flaw

CVE-2023-38831 designates a high-severity security flaw in WinRAR. This vulnerability enables threat actors to execute arbitrary code by manipulating a benign file within a ZIP archive. 

Disturbingly, findings by Group-IB in August 2023 revealed that this flaw had been weaponized as a zero-day exploit since April 2023, primarily targeting individuals involved in trading.

Ukraine in the Crosshairs

Ukraine has been a primary target for cyber activities originating from Russia since the commencement of the war last year. 

https://twitter.com/hatr/status/1494265579120869378

In July 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) attributed Turla to attacks involving the Capibar malware and Kazuar backdoor, directed explicitly at Ukrainian defense assets.

Turla’s Persistence

Trend Micro’s recent report underscores the persistence of the Turla group, indicating well-funded operations with highly skilled operatives. Turla continuously refines its tools and techniques, making them an enduring threat.

Bad Apples Hidden in a Bunch

It pays to be a bit paranoid and take your online security as seriously as you would protect your secret stash of midnight snacks from raccoons. 

Stay vigilant and update your digital locks! Stay safe out there! ?️‍♂️??

author

Anas Hasan

date

October 17, 2023

time

3 years ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Related Stories

Microsoft Phases Out 1024-bit RSA Keys for Enhanced Windows Security

Microsoft Phases Out 1024-bit RSA Keys for Enhanced Windows Security
Posted on March 19, 2024
Cyberattack Compromises International Monetary Fund (IMF) Email Accounts

Cyberattack Compromises International Monetary Fund (IMF) Email Accounts
Posted on March 18, 2024
Cybercriminals Target Aiohttp Flaw to Find At-Risk Networks

Cybercriminals Target Aiohttp Flaw to Find At-Risk Networks
Posted on March 18, 2024

Have Your Say!!