McAfee Labs describes CVE-2023-38831, a critical RCE in WinRAR before version 6.23 exploited by weaponized ZIP archives that execute a malicious script during extraction. The article traces the infection chain from a crafted archive targeting traders to a C2 connection at 37.120.158.229 and a sample hash bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa. #WinRAR #CVE-2023-38831 #AMD.exe #Core.ocx #37.120.158.229 #trading_system
Keypoints
- The vulnerability occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the harmless file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file.
- Exploitation is observed as early as April 2023, with a sample hash bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa.
- The archive can be crafted so that folder and file names are the same, hinting targeted use (e.g., targeting traders with a trading_system archive).
- The weaponized ZIP contains a BAT file with a malicious script, and the BAT file shares its name with the benign file outside the folder.
- The payload chain involves a CAB SFX (weakicons.com), a VB-compiled AMD.exe that extracts a DLL from pc.txt and executes ActiveX controls, and registry modifications to load a malicious COM object.
- A TCP connection to a C2 IP (37.120.158.229) is observed, indicating beaconing or data exfiltration to threat actors.
MITRE Techniques
- [T1059.003] Windows Command Shell β The BAT file containing a malicious script is executed via the command shell during infection. βthe bat file containing a malicious script.β
- [T1059.005] Visual Basic β AMD.exe is a Visual Basic compiled file used to extract a DLL and execute ActiveX controls. βAMD.exe is a visual basic compiled file whose main job is to extract the dll hidden in a blob of data inside pc.txt and execute the ActiveX controls.β
- [T1112] Modify Registry β The malware registers a COM object by importing registry keys from add.txt. βThe first control is responsible for registering a COM object in Windows. During registration, registry keys are imported from the βadd.txtβ file.β
- [T1218.011] Rundll32 β AMD.exe calls rundll32 on the CLSID that is registered in the registry. βAMD.exe calls rundll32 on the clsid that is registered in the registry.β
- [T1047] Windows Management Instrumentation β The WMI-like use of WMIC to execute weakicons.com. βWmic process executes weakicons.comβ
- [T1071] Application Layer Protocol β The malware establishes a TCP connection to a C2 server. βWe can see successful tcp connection to threat actors C2. ( ip 37[.]120[.]158[.]229)β
Indicators of Compromise
- [SHA-256] bc15b0264244339c002f83e639c328367efb1d7de1b3b7c483a2e2558b115eaa β Sample hash associated with the exploit
- [IP] 37.120.158.229 β C2 communication observed in the infection chain
- [Archive Name] trading_system β Archive name used in the weaponized ZIP
- [File] AMD.exe β VB-based payload executable
- [File] Core.ocx β Malicious COM object loaded via registry
- [File] weakicons.com β CAB SFX payload executed during infection
- [File Path] %APPDATA%NvidiaCore.ocx β Registry/Filesystem artifact used by the payload
- [File] add.txt β Registry keys loaded during COM object registration
- [File] pc.txt β Containing the encrypted DLL blob extracted by AMD.exe
Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/exploring-winrar-vulnerability-cve-2023-38831/