December 2, 2023

Hackers linked to the governments of Russia and China are allegedly utilizing a vulnerability in a well-liked Home windows device to assault targets around the globe, together with in Ukraine and Papua New Guinea.

Google’s Menace Evaluation Group’s (TAG) stated that in current weeks it has seen a number of government-backed teams exploiting CVE-2023-38831, a vulnerability affecting the Home windows file archiver device WinRAR.

The bug, which has been patched, was initially exploited by prison teams all through early 2023.

“TAG has noticed government-backed actors from various international locations exploiting the WinRAR vulnerability as a part of their operations,” Google stated.

TAG researchers stated they noticed a Russian hacking group they name FROZENBARENTS —- allegedly housed throughout the Russian Armed Forces’ Fundamental Directorate of the Normal Workers (GRU) Unit 74455 —- launch an e mail marketing campaign on September 6 making an attempt to impersonate a Ukrainian drone warfare coaching college.

Utilizing an invite to hitch the college as a lure, the e-mail contained a hyperlink to a benign PDF doc and a malicious ZIP file that exploits CVE-2023-38831.

The payload got here with malware referred to as Rhadamanthys that permits hackers to steal browser credentials and session data amongst different issues.

Picture: Google

They famous that the usage of this infostealer, which is usually rented in 30-day increments by cybercriminals for about $250, was not usually utilized by FROZENBARENTS in different assaults tracked by Google’s crew earlier this 12 months.

Google’s report notes that on September 4, Ukrainian cybersecurity officers at CERT-UA warned that the GRU was utilizing CVE-2023-38831 to ship malware focusing on vitality infrastructure.

China focusing on Papua New Guinea

Google’s researchers additionally noticed government-backed teams in China exploiting CVE-2023-38831 in phishing campaigns focusing on organizations in Papua New Guinea.

Google attributed the exercise to APT40, which they discuss with as ISLANDDREAMS.

The emails contained a Dropbox hyperlink with a malicious ZIP archive that contained a decoy PDF. The ZIP archive incorporates ISLANDSTAGER, a device developed by the hackers to keep up their entry to an exploited system.

The U.S. Division of Justice indicted 4 members of APT40 in 2021 for vast ranging campaigns focusing on organizations throughout Austria, Cambodia, Canada, Germany, Indonesia, Malaysia, Norway, Saudi Arabia, South Africa, Switzerland, and the UK.

The group was additionally allegedly concerned in stealing information from analysis institutes and universities, typically focusing on infectious-disease analysis associated to Ebola, MERS, HIV/AIDS, Marburg, and tularemia.

Researchers have warned of cybercriminals utilizing CVE-2023-38831 in assaults since April. Hackers used it to focus on monetary merchants to ship numerous commodity malware households.

“The widespread exploitation of the WinRAR bug highlights that exploits for recognized vulnerabilities will be extremely efficient, regardless of a patch being obtainable,” Google stated.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Be taught extra.

No earlier article

No new articles

Jonathan Greig

Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than shifting again to New York Metropolis, he labored for information shops in South Africa, Jordan and Cambodia. He beforehand coated cybersecurity at ZDNet and TechRepublic.