UAC-0099’s New Weapon: The WinRAR Exploit You Can’t Ignore

A critical vulnerability in WinRAR, identified as CVE-2023-38831, is being actively exploited by threat actors to execute arbitrary code on a victim’s machine. This flaw allows attackers to craft malicious ZIP archives that can deliver malware when a user attempts to view a seemingly benign file. This vulnerability has been used in targeted attacks, and immediate patching is crucial to prevent compromise.

WinRAR is a widely used file archiver utility for Windows. Its ability to create and view archives in various formats, such as RAR and ZIP, has made it a popular tool for both personal and professional use. This widespread adoption makes it a high-value target for cyber attackers seeking to distribute malware.

• CVE-ID:CVE-2023-38831.
• CVSS Score: 7.8 (High).
• EPSS Score: 93.65
• Vulnerability Type: Insufficient Verification of Data Authenticity.
• Affected Software: WinRAR versions prior to 6.23.

The malware leverages the vulnerability through a multi-step attack chain:

1. Initial Access: Attackers craft a malicious ZIP archive containing a benign file (e.g., a PDF or JPG) and a folder with the same name.
2. Exploitation: When a user opens the archive and double-clicks the benign-looking file, the vulnerability is triggered.
3. Script Execution: Instead of opening the benign file, WinRAR is tricked into executing a script or executable within the specially named folder.
4. Payload Delivery: The executed script then downloads and installs the primary malware payload, such as MATCHBOIL, MATCHWOK, or DRAGSTARE.
5. Persistence: The malware establishes persistence on the infected system, often through scheduled tasks.

The malware delivered through this exploit exhibits a range of malicious capabilities, including:

• Backdoor Access: Provides the attacker with remote control over the compromised system.
• Credential Theft: Steals sensitive information, including login credentials from web browsers.
• Data Exfiltration: Collects and exfiltrates files with specific extensions, such as “.docx,” “.pdf,” and “.xls.”
• Command Execution: Executes arbitrary PowerShell commands received from a command-and-control server.

The observed attack activities align with several MITRE ATT&CK techniques:

T1020 – Automated Exfiltration: Used by DRAGSTARE to steal files and exfiltrate sensitive data from the victim’s system.

T1566.001 – Phishing: Spearphishing Attachment: Used for initial access via malicious HTA, LNK, and archive file attachments.

T1059.001 – Command and Scripting Interpreter: PowerShell: Used to execute obfuscated PowerShell commands embedded by the MATCHWOK backdoor.

T1053 – Scheduled Task/Job: Scheduled Task: Used for persistence by creating scheduled tasks that execute the malware payloads.

T1027 – Obfuscated Files or Information: Employed by UAC-0099 to evade detection through obfuscated VBScript and PowerShell scripts.

T1105 – Ingress Tool Transfer: Downloading additional payloads such as MATCHWOK and DRAGSTARE from command-and-control servers.

• Remote takeover of the affected device.
• Unauthorized access to sensitive personal and corporate data.
• Lateral movement within corporate networks.
• Potential for widespread malware infections.

1. Patch Software: Update WinRAR to version 6.23 or a later version.
2. Isolate Devices: If patching is not immediately possible, consider restricting the use of WinRAR on critical systems.
3. Threat Hunting:
• Monitor for suspicious processes originating from WinRAR.
• Look for unusual network traffic to known malicious domains or IPs.
4. IOC Monitoring: Leverage indicators of compromise (IOCs) associated with malware families like MATCHBOIL and DRAGSTARE for early detection.
5. User Awareness: Educate users about the risks of opening attachments from untrusted sources, even if they appear to be harmless documents.

Secure Patches Inc. offers a continuous, automated solution to address risks exploited in the wild. It supports a wide range of third-party applications across Windows, macOS, and Linux, ensuring that your systems are protected against the latest threats.