Google researchers spot WinRAR exploits in the wild

By

Russian, Chinese actors using patched vulnerability.

A vulnerability in the popular WinRAR archiving utility is being exploited by state actors, despite of being patched in August.

Google researchers spot WinRAR exploits in the wild

According to Google’s Threat Analysis Group (TAG), the exploits began early this year, before the bug was publicly known.

“A patch is now available, but many users still seem to be vulnerable,” Google TAG’s advisory states. 

“TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations.”

The bug is a logical vulnerability “causing extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces,” TAG explains. 

“The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive.”

Google said Group-IB had seen exploits deployed since April against financial traders.

Campaigns seen by Google TAG include Russia’s Sandworm group impersonating a Ukrainian drone training school to deliver an information stealer; a campaign by Frozenlake (AKA APT28), a Russian-attributed group, attacking Ukrainian infrastructure; another from Frozenlake deploying a malicious PowerShell script known as Ironjaw to create a reverse SSH shell controlled by the attacker; and an apparently Chinese-sourced attack against targets in Papua New Guinea.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?