Google TAG发现威胁行动者正在利用WinRAR漏洞

A number of state-back threat actors from Russia have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations.

来自俄罗斯的一些国家支持的威胁行动者已被观察到正在利用WinRAR Windows存档工具的最新安全漏洞，作为他们操作的一部分。

The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively exploited since at least April 2023.

问题中的漏洞是CVE-2023-38831（CVSS评分：7.8），允许攻击者在用户尝试查看ZIP存档中的良性文件时执行任意代码。这个弱点至少自2023年4月以来一直被积极利用。

Google Threat Analysis Group (TAG), which detected the activities in recent weeks, attributed them to three different clusters it tracks under the geological monikers FROZENBARENTS (aka Sandworm), FROZENLAKE (aka APT28), and ISLANDDREAMS (aka APT40).

谷歌威胁分析组（TAG）最近检测到这些活动，将它们归因于其跟踪的三个不同集群，这些集群以地理名称（FROZENBARENTS，FROZENLAKE和ISLANDDREAMS）来命名。

The phishing attack linked to Sandworm impersonated a Ukrainian drone warfare training school in early September and distributed a malicious ZIP file exploiting CVE-2023-38831 to deliver Rhadamanthys, a commodity stealer malware which is offered for sale for $250 for a monthly subscription.

与Sandworm相关联的网络钓鱼攻击在乌克兰的乌克兰无人机战争培训学校中伪装成一个ZIP文件，利用CVE-2023-38831传送Rhadamanthys，这是一种商品窃取恶意软件，每月订阅费用为250美元。

APT28, also affiliated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) as it's the case with Sandworm, is said to have launched an email campaign targeting government organizations in Ukraine.

与俄罗斯联邦武装力量总参谋部主任部有关的APT28，正如与Sandworm的情况一样，被认为已启动了针对乌克兰政府机构的电子邮件活动。

In these attacks, users from Ukraine were prompted to download a file containing a CVE-2023-38831 exploit – a decoy document that masqueraded as an event invitation from Razumkov Centre, a public policy think tank in the country.

在这些攻击中，乌克兰用户被提示下载包含CVE-2023-38831漏洞的文件，这是一份伪装成乌克兰国家政策智库Razumkov Centre的活动邀请的幌子文件。

The result is the execution of a PowerShell script named IRONJAW that steals browser login data and local state directories and exports the information to an actor-controlled infrastructure on webhook[.]site.

结果是执行一个名为IRONJAW的PowerShell脚本，该脚本窃取浏览器登录数据和本地状态目录，并将信息导出到webhook[.]site上的受控基础架构。

The third threat actor to exploit the WinRAR bug is APT40, which unleashed a phishing campaign targeting Papua New Guinea in which the email messages included a Dropbox link to a ZIP archive containing the CVE-2023-38831 exploit.

利用WinRAR漏洞的第三个威胁行动者是APT40，它释放了一场针对巴布亚新几内亚的网络钓鱼活动，其中电子邮件包括一个指向包含CVE-2023-38831漏洞的ZIP存档的Dropbox链接。

The infection sequence ultimately paved the way for the deployment of a dropper named ISLANDSTAGER that's responsible for loading BOXRAT, a .NET backdoor that uses the Dropbox API for command-and-control

感染序列最终为ISLANDSTAGER的部署铺平了道路，它负责加载BOXRAT，这是一个使用Dropbox API进行命令和控制的.NET后门。

The disclosure builds upon recent findings from Cluster25, which detailed attacks undertaken by the APT28 hacking crew exploiting the WinRAR flaw to conduct credential harvesting operations.

这一披露基于Cluster25的最新发现，该发现详细介绍了APT28黑客组织利用WinRAR漏洞进行凭证窃取操作。

Some of the other state-sponsored adversaries that have joined the fray are Konni (which shares overlaps with a North Korean cluster tracked as Kimsuky) and Dark Pink (aka Saaiwc Group), according to findings from the Knownsec 404 team and NSFOCUS.

一些其他国家支持的对手也加入了争夺，例如Konni（与一个被追踪为Kimsuky的朝鲜集群有重叠）和Dark Pink（又名Saaiwc Group），根据Knownsec 404团队和NSFOCUS的发现。

"The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available," TAG researcher Kate Morgan said. "Even the most sophisticated attackers will only do what is necessary to accomplish their goals."

TAG研究员Kate Morgan表示：“广泛利用WinRAR漏洞突显了已知漏洞的攻击可以非常有效，尽管已经提供了补丁。即使是最复杂的攻击者也只会做必要的事情来实现他们的目标。”

原文始发于微信公众号（知机安全）：Google TAG发现威胁行动者正在利用WinRAR漏洞