Anyone Using WinRAR Needs To Update ASAP Due To A Serious Security Flaw

winrar vulnerability exploited by government backed threat actors 01
With a purported userbase of over 500 million, WinRAR is one of the world’s most popular file compression tools thanks in part to its never-ending free trial. However, with such prevalence, WinRAR is also a juicy target for hackers to gain a foothold or escalation on a device. Google’s Threat Analysis Group (TAG) has discovered several government-backed hacking groups abusing the program, which should now be patched to prevent exploitation.

In a blog post this week, Google TAG reported that it had observed government-backed hacking groups leveraging CVE-2023-38831. This vulnerability, rated as a 7.8 out of 10, allows an attacker to “execute arbitrary code when a user attempts to view a benign file within a ZIP archive.” This benign file would have to be contained within a folder of the same name that may contain executable content that would be processed in an attempt to access the benign file.

poc winrar vulnerability exploited by government backed threat actors
The file structure of the proof-of-concept exploit.

The TAG report explains that at least four campaigns leverage the vulnerability, stemming from Russian-backed SANDWORM and APT28 (FROZENLAKE) and Chinese-backed APT40 (ISLANDDREAMS). However, these discoveries are limited to samples discovered in files uploaded to VirusTotal, so it is possible there are many more groups abusing this vulnerability. Even with what is known, the TAG post explains that this “widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective despite a patch being available.”

Therefore, everyone who uses WinRAR should ensure that their software is up to date to prevent this vulnerability from being exploited against them. What’s more is that the known attacks have been initiated using phishing campaigns, so people should be more wary of suspect links and files sent by anyone. While this may seem quite challenging, it doesn't have to be; if you didn’t request a link or file, or if you have not verified the sender, simply do not click or open it.