Full Report
Google's Threat Analysis Group analyzes recent state-sponsored campaigns exploiting the WinRAR vulnerability, CVE-2023-38831.
Analysis Summary
# Vulnerability: WinRAR Arbitrary Code Execution via Crafted Archives (CVE-2023-38831)
## CVE Details
- CVE ID: CVE-2023-38831
- CVSS Score: Not explicitly provided, but confirmed to be exploited as a 0-day by government-backed groups, implying **High** severity.
- CWE: Logic Error in File Handling/Parsing (related to arbitrary file execution)
## Affected Systems
- Products: WinRAR (Windows file archiver tool)
- Versions: Versions prior to **WinRAR 6.23**
- Configurations: Any Windows system attempting to view or open a crafted archive file through the WinRAR user interface.
## Vulnerability Description
CVE-2023-38831 is a logical vulnerability in how WinRAR versions prior to 6.23 processes crafted archives. When a user double-clicks a file entry within a specially constructed archive whose name contains a trailing space in the extension (e.g., `"poc.png_"` where `_` represents a space), WinRAR exhibits unexpected behavior.
1. WinRAR iterates through archive entries; if a directory matches the entry name, both the selected file and internal files are extracted to a temporary directory.
2. Path normalization removes trailing spaces from filenames, meaning an entry named `"poc.png_"` ends up being extracted as `"poc.png"` in the temp folder.
3. However, the call to `ShellExecuteExW` still uses the *unnormalized* path (with the trailing space: `"%TEMP%\\{random_directory}\\poc.png_"`).
4. Windows' `ShellExecute` fails to find an extension on the unnormalized path and falls back to `shell32!ApplyDefaultExts`, which executes the first available file matching hardcoded dangerous extensions (.pif, .com, .exe, .bat, .lnk, .cmd).
5. If the attacker crafted the archive such that an executable (e.g., `poc.png_.cmd`) is present alongside the benign file, this executable is inadvertently run instead of the intended file.
## Exploitation
- Status: **Exploited in the wild** (Observed being used as a 0-day by APT and financially motivated groups since at least April 2023).
- Complexity: **Low** (Exploit generators are publicly available; execution relies on a user double-clicking a file within the WinRAR UI).
- Attack Vector: **Network** (via delivery of a malicious archive).
## Impact
- Confidentiality: **High** (As seen by payloads like Rhadamanthys infostealer).
- Integrity: **High** (Arbitrary code execution leads to system compromise).
- Availability: **High** (System compromise or ransomware/malware deployment).
## Remediation
### Patches
- **WinRAR version 6.23** released in August 2023 contains the necessary security fixes.
### Workarounds
- Keep software fully up-to-date.
- Google recommends the use of **Google’s Safe Browsing and Gmail**, which can block files containing the exploit.
- Be highly suspicious of archives received from untrusted sources, even if they appear to contain benign files.
## Detection
- Suspicious execution chains where WinRAR interactions lead to the launch of executables (.exe, .cmd, .bat) found in temporary directories.
- Monitoring file execution attempts involving extensions matching default system extensions being launched via `ShellExecute` on files containing trailing spaces in their names within archives.
### Indicators of Compromise (IoCs)
* **URLs/Domains associated with FROZENBARENTS:**
* `https://fex[.]net/s/bttyrz4`
* `https://fex[.]net/s/59znp5b`
* **URLs/Domains associated with FROZENLAKE:**
* `http://webhook[.]site/e2831741-d8c8-4971-9464-e52d34f9d611`
* **URLs/Domains associated with ISLANDDREAMS:**
* `https://filetransfer[.]io/data-package/DVagoJxL/download`
* **File Hashes (FROZENLAKE):**
* `072afea7cae714b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7`
* `91dec1160f3185cec4cb70fee0037ce3a62497e830330e9ddc2898f45682f63a`
* `77cf5efde721c1ff598eeae5cb3d81015d45a74d9ed885ba48330f37673bc799`
* **IP Address (FROZENLAKE):**
* `216.66.35[.]145`
## References
- Vendor Advisory (RARLabs information on new versions): `https://www.rarlab.com/rarnew.htm`
- Security Analysis (0day RCA): `https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2023/CVE-2023-38831.html`
- Group-IB Blog: `https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/`
- Google TAG Report (FROZENBARENTS): `https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/`
- GitHub PoC: `https://github.com/BoredHackerBlog/winrar_CVE-2023-38831_lazy_poc`