Threat Research

WinRAR CVE-2023-38831 Vulnerability: Malware Exploits & APT Attacks

Securonix

WinRAR CVE-2023-38831 is a zero-day exploited by multiple APT groups to drop and execute malware via specially crafted archives containing PDFs/JPGs. The article details campaigns by groups like DarkPink, Konni, SandWorm, APT28, and APT29, the malware families involved, and mitigation steps such as updating WinRAR. #DarkPink #APT28

Keypoints

  • CVE-2023-38831 is a WinRAR zero-day affecting versions before 6.23 that enables remote code execution through crafted archives.
  • Attackers embed malicious executables inside PDFs/JPGs within ZIP archives to trick users into triggering malware installation.
  • A global set of APT groups—DarkMe, UAC-0057, APT40, Konni, SandWorm, APT28, APT29, DarkPink, SideCopy—have exploited the flaw across sectors like trading, government, energy, and crypto.
  • Malware families delivered include DarkMe, GuLoader, Remcos, Agent Tesla, PicassoLoader, Rhadamanthys, and others (e.g., BumbleBee, WhiteSnake, njRAT, BOXRAT) with various C2 frameworks.
  • Campaigns show varied techniques (phishing with ZIPs, BAT/HTML/JS delivery, LNK with MSHTA, PowerShell) and C2 infrastructure (Cobalt Strike, Ngrok, Drobox links).
  • Mitigation emphasizes updating WinRAR to the latest version and applying vigilant detection as described by Uptycs.

MITRE Techniques

  • [T1566] Phishing – Initial Access via phishing emails containing malicious ZIP files. “phishing emails containing malicious ZIP files to deploying different families of malware”
  • [T1203] Exploitation for Client Execution – The vulnerability is triggered by creating specially crafted archives with a slightly modified structure, which causes WinRAR’s ShellExecute function to receive an incorrect parameter when it attempts to open the decoy file. “The vulnerability is triggered by creating specially crafted archives with a slightly modified structure, which causes WinRAR’s ShellExecute function to receive an incorrect parameter when it attempts to open the decoy file.”
  • [T1059] Command and Scripting Interpreter – Execution via BAT/PowerShell/JS/HTML/VBScript throughout campaigns (e.g., BAT files, MSHTA/HTA, JavaScript). “When a victim double-clicks on the PDF, the vulnerability will quietly launch a script… and later uses BAT/JS/HTA/PowerShell”
  • [T1574.002] DLL Side-Loading – DLL side-loading/injection (e.g., twinapi.dll used in a side-loading attack). “twinapi.dll … forming a side-loading attack mode.”
  • [T1205] Traffic Signaling – Persistence/communication signaling via traffic signaling technique in the campaign. “Traffic Signaling”
  • [T1548.002] By-pass User Account Control – Privilege Escalation via UAC bypass in some campaigns. “Bypass User Account Control”
  • [T1112] Modify Registry – Defense Evasion by registry modification. “Modify Registry”
  • [T1555.003] Credentials from Web Browsers – Credential access from browser data. “Credentials from Web Browsers”
  • [T1082] System Information Discovery – Discovery of system information. “System Information Discovery”
  • [T1563] Remote Service Session Hijacking – Lateral movement via remote service/session hijacking. “Remote Service Session Hijacking”
  • [T1560] Archive Collected Data – Data collection/archiving before exfiltration. “Archive Collected Data”
  • [T1071] Application Layer Protocol – C2 over application layer protocols. “Application Layer Protocol”
  • [T1105] Ingress Tool Transfer – Transfer of tools/payloads to the victim environment. “Ingress Tool Transfer”
  • [T1218.005] Mshta – LOLBINS usage for executing HTA/JS via Mshta. “Mshta.exe”
  • [T1059.003] Windows Command Shell – Cmd.exe usage for command execution. “Cmd.exe”
  • [T1059.001] PowerShell – PowerShell usage for payload deployment. “PowerShell”
  • [T1059.005] VBScript – VBScript via WScript.exe for execution. “WScript.exe”
  • [T1574.002] RunDLL32 – DLL side-loading via RunDLL32 usage. “RunDLL32.exe”

Indicators of Compromise

  • [Hash] SideCopy – 5716244ce0f3bbae24b79db810e80cd5001b320e6608a838284b22889143ca66, 5893b58d6a6a772f8ecd491a4dace11007fd1aac90e5f4a0363288d1376e1ce5
  • [Hash] APT29 – eec902a61886198a8e48ac862fabeecd628f2fa4122b78a0d7d6ee5c256ae724, f78ee3005ca9f0e78a9dd136fc69afe7c06d69d1fc6218bc9e7eb3adec045977
  • [Domain] Domain – vmi1433024[.]contaboserver[.]net, d287-206-123-149-139[.]ngrok-free[.]app
  • [IP] IP – 45[.]142[.]212[.]34, 38[.]242[.]149[.]89
  • [File] File – cc.exe, twinapi.dll

Read more: https://www.uptycs.com/blog/cve-2023-38831-winrar-zero-day

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint