Security experts are warning that nation-state hackers are targeting a vulnerability in WinRAR, a popular Windows utility for archiving files. Google’s Threat Analysis Group has observed government-backed hacking groups from multiple countries, including China and Russia, exploiting the bug. The Russian military’s Sandworm hacking team has been running a phishing campaign against the Ukrainian energy sector using a bogus PDF document containing malware. Another campaign attributed to China targeted Papua New Guinea with links to Dropbox that led to malware. The vulnerability in WinRAR version 6.23 allows attackers to open malware when a user double-clicks a file. Despite a patch being available, many users have not updated the software, leaving them vulnerable to exploitation.
Google has tracked at least four campaigns by advanced persistent threat groups using the WinRAR vulnerability. These campaigns targeted the Ukrainian energy sector, Ukrainian government organizations, Ukrainian energy infrastructure, and Papua New Guinea. The widespread exploitation of the WinRAR bug highlights the effectiveness of known vulnerabilities, even with a patch available. Hackers first began exploiting the vulnerability in April, targeting financial traders and gaining access to cryptocurrency and securities traders’ accounts. Group-IB warned that hackers were using the vulnerability to make malicious scripts appear as legitimate file types inside compressed WinRAR folders.
It is important to note that WinRAR does not include automatic updating capability, so users must manually download and install updates. This lack of automatic updating makes it more challenging for users to keep their software secure and up-to-date. The ability to automatically update software has been built into many widely used pieces of software, leading to a decline in the use of automated exploit kits by attackers. These recent campaigns highlight the importance of patching and the need to make it easier for users to keep their software secure.