WinRAR Vulnerability Exposes Users to State-Backed Threat Actors
State-backed threat actors from Russia and China have been exploiting a security flaw in the WinRAR archiver tool for Windows, known as CVE-2023-38831, which allows arbitrary code execution. Google Threat Analysis Group (TAG) has identified three different clusters involved in the exploitation: FROZENBARENTS (aka Sandworm), FROZENLAKE (aka APT28), and ISLANDDREAMS (aka APT40). These threat actors have been launching phishing campaigns and distributing malicious ZIP files containing the exploit to target organizations in Ukraine and Papua New Guinea. The attacks result in the deployment of various malware, including commodity stealers and backdoors. The widespread exploitation of this known vulnerability highlights the effectiveness of such exploits, even when patches are available.