Zero-day bugs (or exploits) are security flaws in a computer program that hackers can exploit to attack users before the developer becomes aware and fixes it. These types of bugs, which are a nightmare for software companies, are often detected shortly after the program’s release, although sometimes they persist for years without being discovered.
Recently, it has been discovered that several hacker groups backed by the governments of Russia and China are exploiting a zero-day exploit in the popular file compression program WinRAR to infect their victims’ computers.
This security flaw, known as CVE-2023-38831, was discovered in August of this year and was fixed with an update to WinRAR (version 6.23). However, many users have not updated the program and are still vulnerable to attacks. That’s why Google’s Threat Analysis Group (TAG) has found evidence that several hacker groups sponsored by Russia and China are exploiting this zero-day bug for their operations.
According to TechCrunch, one of these groups is called Sandworm, a unit of Russian military intelligence that engages in destructive cyber attacks, such as the one launched in 2017 with the NotPetya ransomware, which paralyzed Ukraine’s power grid.
Google researchers observed that Sandworm used the WinRAR bug in early September as part of a malicious email campaign posing as a military drone training school in Ukraine. The emails contained a link to a compressed file that exploited the WinRAR flaw, and upon opening it, it installed malware that stole browser passwords.
Another hacker group exploiting the WinRAR bug is known as APT28 or Fancy Bear, linked to the Russian government and infamous for its involvement in the hacking of the United States Democratic National Committee in 2016.
According to researchers, Fancy Bear used the WinRAR bug to target users in Ukraine by posing as a political studies center in the country. These emails included a compressed file that, when opened, installed malware allowing remote control of the computer.
Lastly, Google also found evidence that the APT40 group, backed by the Chinese government and linked to the Ministry of State Security, abused the WinRAR bug as part of a phishing campaign targeting users in Papua New Guinea. These emails included a Dropbox link to a compressed file containing the CVE-2023-38831 exploit.
As you can see, these hacker groups don’t hold back and use any resource at their disposal to achieve their goals. That’s why it’s crucial to keep WinRAR updated and avoid downloading or opening suspicious compressed files.
