Google researchers spot WinRAR exploits in the wild

A vulnerability in the popular WinRAR archiving utility is being exploited by state actors, despite of being patched in August.

According to Google’s Threat Analysis Group (TAG), the exploits began early this year, before the bug was publicly known.

“A patch is now available, but many users still seem to be vulnerable,” Google TAG’s advisory states. 

“TAG has observed government-backed actors from a number of countries exploiting the WinRAR vulnerability as part of their operations.”

The bug is a logical vulnerability “causing extraneous temporary file expansion when processing crafted archives, combined with a quirk in the implementation of Windows’ ShellExecute when attempting to open a file with an extension containing spaces,” TAG explains. 

“The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive.”

Google said Group-IB had seen exploits deployed since April against financial traders.

Campaigns seen by Google TAG include Russia’s Sandworm group impersonating a Ukrainian drone training school to deliver an information stealer; a campaign by Frozenlake (AKA APT28), a Russian-attributed group, attacking Ukrainian infrastructure; another from Frozenlake deploying a malicious PowerShell script known as Ironjaw to create a reverse SSH shell controlled by the attacker; and an apparently Chinese-sourced attack against targets in Papua New Guinea.