Government-backed hackers from Russia and China exploited a known vulnerability in outdated versions of WinRAR, the world’s most popular compression tool with over 500 million users. Google’s Threat Analysis Group (TAG) said Wednesday it observed a number of government-backed hacking campaigns utilizing the WinRAR bug starting in early 2023.
“To ensure protection, we urge organizations and users to keep software fully up-to-date and to install security updates as soon as they become available,” said Google’s Kate Morgan in a TAG blog post.
The vulnerability exists in all of RARLAB’s WinRAR products prior to version 6.23, released in August shortly after the bug was discovered. The vulnerability was brought to light by Group-IB, identifying how hackers were able to infiltrate a finance forum full of traders, infect 130 of the forum member’s devices, and withdraw funds from their brokerage accounts.
“The cybercriminals are exploiting a vulnerability that allows them to spoof file extensions,” wrote Andrey Polovinkin, Malware Analyst at Group-IB, in a blog post back in August. “They are able to hide the launch of malicious script within an archive masquerading as a ‘.jpg’, ‘.txt’, or any other file format.”
Google identified the Russian Armed Forces group “Sandworm” as a hacker exploiting this vulnerability in WinRAR’s code. Sandworm specifically targeted users with some connection to the energy and defense sectors in Ukraine and Eastern Europe through phishing campaigns. Another group “APT 40,” which has been linked to China’s State Department, was identified by Google as launching a malicious campaign against Papua New Guinea.
In a note on WinRAR’s version 6.23, the first update to patch the bug, RARLAB thanked Group-IB and the Zero Day Initiative for making them aware of the vulnerability, and “highly recommends to install the latest version.”
It has long been understood that users don’t update their software as much as they should, especially people who are not super comfortable using computers to begin with.
“These recent campaigns exploiting the WinRAR bug underscore the importance of patching and that there is still work to be done to make it easy for users to keep their software secure and up-to-date,” said Google’s TAG team.