Threat Research

THREAT ADVISORY: Zero-Day Vulnerabilities Detected on WinRAR – Blogs on Information Technology, Network & Cybersecurity | Seqrite

Securonix

Two WinRAR zero-day vulnerabilities (CVE-2023-38831 and CVE-2023-40477) enable remote code execution via specially crafted archives, with in-the-wild activity reported against online cryptocurrency trading accounts in 2023. Patches in WinRAR 6.23 (and later) mitigate these flaws; older versions remain at risk, especially where libraries like unrar.dll/unrar64.dll are involved. #CVE-2023-38831 #CVE-2023-40477 #WinRAR #unrar

Keypoints

  • Two zero-day flaws in WinRAR (CVE-2023-38831 and CVE-2023-40477) can allow remote code execution via crafted archives.
  • Exploitation requires user interaction, such as opening a specially crafted ZIP/RAR archive.
  • Attack activity was observed in the wild from April to August 2023, including breaches of online cryptocurrency trading accounts.
  • CVE-2023-40477 involves a recovery volume/array index issue leading to a buffer overflow and remote code execution.
  • CVE-2023-38831 is a file extension spoofing vulnerability where a benign file is deceivingly paired with a malicious payload in an archive.
  • Libraries unrar.dll and unrar64.dll are affected and used by many software products, including antivirus solutions.
  • WinRAR patching (versions 6.23 released Aug 2, 2023, and Aug 24, 2023) mitigates these issues; immediate update is advised.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – The vulnerabilities allow remote attackers to execute arbitrary code on systems where WinRAR is installed. β€œThese vulnerabilities require user interaction for exploitation.”
  • [T1059.003] Windows Command Shell – The crafted archive leads WinRAR to launch a batch/CMD script via ShellExecute, allowing malware execution. β€œthe program launches a batch or CMD script”
  • [T1036] Masquerading – File extension spoofing trick hides the malicious payload behind a benign file, confusing the user. β€œOn opening the archives, users cannot differentiate the harmless files hiding the malicious payload.”

Indicators of Compromise

  • [FileName] context – Examples of archive names observed in the attack: Trading_Strategy_2023.rar, Cryptocurrencies2023_mpgh.net.rar, and 3 more file names
  • [SHA-2 Hash] context – Hashes observed for these archives: 763df8b2db7f2f2fa0c8adb8c1cc05ff15b59e6a9756cbe9fc4a1c12329b62af, 0860e09e529fc6ccbbffebafedc27497fbbcaff57b5376fb4cc732c331d1f591, and 3 more hashes
  • [Domain] context – mpgh.net observed within the deceptive artifact naming (as part of the archive naming)

Read more: https://www.seqrite.com/blog/threat-advisory-zero-day-vulnerabilities-detected-on-winrar/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint