Google LLC’s Threat Analysis Group today warned users of a vulnerability in file archiving and compressing software WinRAR that’s being actively exploited by hacking groups, including allegedly state-sponsored actors.

The researchers at Google TAG have observed hacking groups leveraging a vulnerability tracked as CVE-2023-3883. The vulnerability, found in versions of WinRAR before 6.23, allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive.

The vulnerability was first detected in April and while a patch was issued, many users remain susceptible. The vulnerability lies in WinRAR’s file extraction logic, which allows attackers to execute arbitrary code on a user’s system.

The exploit occurs when a user attempts to view a file within a ZIP archive using WinRAR. The logic flaw, combined with a quirk in the Windows ShellExecute function, allows attackers to trick the system into executing malicious code instead of opening the intended file.

The vulnerability is being exploited by allegedly state-sponsored and financially motivated hackers, with early use of the vulnerability used to target financial traders. Of the hacking groups targeting the exploit, the Google TAG report highlights two groups of particular concern: Frozenbarents and Frozenlake. Both groups are believed to be linked to the GRU, Russia’s foreign military intelligence agency.

Frozenbarents has been found to have impersonated a Ukrainian training school to deliver malware, while Frozenlake targeted Ukrainian government organizations, with a particular focus on the war-torn country’s energy infrastructure. Both campaigns employed the WinRAR vulnerability to deliver malware, demonstrating how critical the issue is.

Islanddreams, another attack group that is believed to be linked to groups in China, also used the vulnerability to target Papua, New Guinea. The campaign used phishing emails that included a Dropbox link to a ZIP archive.

Rarlab GmbH, the German company behind WinRAR, issued a patch for the vulnerability in August. However, Google’s researchers note that the persistence of malicious campaigns exploiting the vulnerability highlights the importance of applying patches promptly and also ensuring broader awareness among users and organizations about the risks associated with outdated software.

“The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available,” the researchers conclude. “Even the most sophisticated attackers will only do what is necessary to accomplish their goals.”

Image: DALL-E 3