Paying for WinRAR in all the wrong ways - Russia and China hitting ancient app

Incidentally, Windows 11 has native rar support now

If you needed another reason to keep your installation of venerable decompression app WinRAR updated, Google's Threat Analysis Group says it has spotted a vulnerability patched in August being actively abused by multiple state-backed threat actors. 

According to a blog post on Monday, TAG has spotted Russian and Chinese-linked teams \ making use of CVE-2023-38831, which was discovered by researchers from Group-IB over the summer and patched in WinRAR version 6.23, released in early August. 

Despite having been patched months ago, "many users still seem to be vulnerable," TAG noted. 

The exploit relies on a pair of quirks, one in WinRAR and another in Windows' ShellExecuteExW function, ultimately resulting in malicious files hidden in a RAR archive being expanded and executed. 

Invaders just need to add a space to an otherwise legitimate file, which confuses versions of WinRAR prior to 6.23 into temporarily expanding directories with the same name as the file, which is where the malware is hidden. 

"If a directory is found with the same name as the selected entry, both the selected file and the files inside a matched directory are extracted to the root of a random temporary directory," TAG noted. WinRAR also performs path normalization, removing the appended spaces, because Windows doesn't allow trailing spaces in its file structure. 

WinRAR then calls ShellExecuteExW to run the file originally selected by the user, and it's here the WinRAR's vulnerability gives way to issues in Windows. 

"ShellExecute attempts to identify file extensions by calling 'shell32!PathFindExtension' which fails because extensions with spaces are considered invalid." Instead of giving up, "ShellExecute proceeds to call "shell32!ApplyDefaultExts" which iterates through all files in a directory, finding and executing the first file with an extension matching any of the hardcoded ones," such as .bat, .cmd or .exe, among others. 

In Google's example, a file named "poc.png_" (with the underscore representing the appended space) is the original item the user selected, but WinRAR also expands an identically named directory "poc.png_/" and an identically-named file that's actually a shell script: poc.png_.cmd. 

An archive for our pwn

TAG said Russian-linked Sandworm and APT28 gangs are abusing this appended space WinRAR exploit, with both using it against Ukrainian targets, among others.

Sandworm is using the exploit to target Ukrainians interested in training to become drone pilots with the Rhadamanthys infostealer, while APT28 is using it to deliver malware targeting Ukrainian energy infrastructure. In particular, APT28 has been using it to deliver a PowerShell script known as IRONJAW that steals browser login data and local state directories. 

Chinese-linked APT40 has been using the vulnerability against targets in Papua New Guinea, TAG said. 

For those wondering if this is the same WinRAR exploit we covered in August - no, it isn't, but it was patched in the same update. That vulnerability, CVE-2023-40477, had to do with a lack of full validation of user-supplied data when opening archives that allow memory access beyond the end of a buffer. 

For those concerned about falling victim to such an exploit, we note that Microsoft announced the addition of native support for non-zip compression formats like tar, 7-zip, gz and rar in May that was added with the new Windows 11 file explorer last month, so you can finally ditch that third-party software. Or pay for it and get updates. ®

More about


Send us news

Other stories you might like