WinRAR CVE-2023-38831: ZIP Spoofing Used by Multiple APT Groups

Threat Intelligence

A WinRAR spoofing bug hid executables in ZIP files that appeared safe, exposing 500 million users to campaigns by APT40, Sandworm, and other state-sponsored actors.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 5, 2024 · 8 min read

CVE-2023-38831 is a file spoofing vulnerability in WinRAR versions prior to 6.23 that allows a specially crafted ZIP archive to execute arbitrary code when a user opens what appears to be a benign file, such as a PDF or image, inside the archive. Google's Threat Analysis Group documented exploitation by at least four distinct nation-state threat actor clusters between April and August 2023.

How the Spoofing Mechanism Works

WinRAR renders the archive contents showing only the filename with the expected extension (for example, report.pdf) while silently processing a second entry named with a trailing space and the same base name (report.pdf ). That padded entry is a folder containing a hidden executable with the same display name. When the user double-clicks the apparent PDF, WinRAR opens the folder and executes the file inside it rather than the displayed document. The user sees only a document name; WinRAR executes a binary.

Threat Actor Activity

• APT40 (China-nexus): Targeted cryptocurrency traders and financial institutions
• Sandworm (Russia-nexus): Spear-phishing campaigns against Ukrainian government entities
• FROZENBARENTS (Russia-nexus): Energy sector targeting via commodity broker lures
• FROZENLAKE (Russia-nexus): Ukrainian defense and military targeting
• Financial cybercrime groups: Phishing lures disguised as trading strategy documents

Multiple unrelated threat actor groups discovered and weaponized CVE-2023-38831 independently, underscoring that unpatched Windows software with large install bases is a highly liquid attack commodity.

Observed Payloads

• DarkMe RAT: Used in financial sector campaigns attributed to EvilNum-linked actors
• GuLoader: Dropper observed delivering commodity stealers
• PowerShell-based loaders: Staged from actor-controlled infrastructure
• Rhadamanthys Stealer: Credential harvesting from browsers and crypto wallets

Detection Approaches

Static detection: inspect ZIP archive structure for entries with identical base names where one entry name contains trailing whitespace. Yara rules exist to match this pattern in the archive's central directory. Behavioral detection: monitor for WinRAR spawning unexpected child processes, particularly PowerShell, cmd.exe, or regsvr32 from archive extraction paths.

Remediation

1. Update WinRAR to version 6.23 or later immediately
2. Consider deploying the free 7-Zip as an alternative with a smaller attack surface
3. Apply AppLocker or WDAC policies to prevent execution from user temp directories
4. Configure email security gateways to inspect ZIP contents before delivery
5. Enable controlled folder access to limit payload write paths

Why Decades-Old Software Carries High Risk

WinRAR has shipped as a proprietary trialware product since 1995. Because it is never prompted as a security-critical application, it is rarely included in patch management programs. Organizations routinely have hundreds of endpoints running WinRAR versions that are years out of date. File association handlers for archive formats represent a systematic attack surface that defenders frequently overlook.

• Audit all endpoints for WinRAR version via asset inventory or SCCM query
• Remove WinRAR trial installations that are not actively required
• Ensure archive software is covered by enterprise patch management policy
• Block execution of ZIP-extracted binaries via EDR policy where feasible

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.