Russia and China-backed Hackers Are Exploiting WinRAR Zero-Day Bug, Google Says

Google security researchers say they have found evidence that government-backed hackers linked to Russia and China are exploiting a since-patched vulnerability in WinRAR, the popular shareware archiving tool for Windows. From a report: The WinRAR vulnerability, first discovered by cybersecurity company Group-IB earlier this year and tracked as CVE-2023-38831, allows attackers to hide malicious scripts in archive files that masquerade as seemingly innocuous images or text documents. Group-IB said the flaw was exploited as a zero-day -- since the developer had zero time to fix the bug before it was exploited -- as far back as April to compromise the devices of at least 130 traders.

Rarlab, which makes the archiving tool, released an updated version of WinRAR (version 6.23) on August 2 to patch the vulnerability. Despite this, Google's Threat Analysis Group (TAG) said this week that its researchers have observed multiple government-backed hacking groups exploiting the security flaw, noting that "many users" who have not updated the app remain vulnerable. In research shared with TechCrunch ahead of its publication, TAG says it has observed multiple campaigns exploiting the WinRAR zero-day bug, which it has tied to state-backed hacking groups with links to Russia and China.

in soviet russia we RAR you!

[Joe_Dragon]

in soviet russia we RAR you!

Re:

[Anonymous Coward]

in soviet russia we RAR you!

yawn

Rar compression? Why?

[iAmWaySmarterThanYou]

I used it back in the day (it had security flaws then, too) when disk space was more expensive and net much slower but today? What a hassle vs just zipping. Sure zip doesn't compress as well but it's good enough for almost anything, disk is dirt cheap, net is so much faster, many of the bigger file types are self compressed and zip is pretty fast to compress and uncompress.

What niche use does rar still have? Is there some industry that has mandated it for some reason?

multi part archives

[Joe_Dragon]

multi part archives

Re:

[Malc]

tar + xz + split.

WinRar is probably faster than xz, but hey, it's got "win" in the name! Everybody I know on Windows uses 7zip these days, which is also supports splitting.

Re:

[dunkelfalke]

Are you still using floppy disks? Because tzey were the main reason for that feature.

Re:

[RockDoctor]

Oh no, it was also very relevant for email accounts with a maximum attachment size of a few MB. Still is, really.

Re:

[Tarlus]

I was able to email Windows 2000 to a friend back in the day using this method

Re:

[RockDoctor]

"Able to" does not mean "should have".

Lessee ... about that time I repeatedly put (or re-put) Win2k onto my home machines (in various rebuilds) from a single Zip disc (parallel-port, natch!) so it weighed less than 100MB. Though not a lot less, IIRC. Call it 100 MB.

At that time, my dial-up peaked at 28.8k, so about 35s per MB. Just short of an hour for 100MB. If the line had stayed up. Which would have cost me about £3 (5USD?) in phone line charges. While burning a new CD would have cost about

Re:

[Tarlus]

Didn't own a CD burner or a Zip drive at the time but I did have access to broadband.

Re:

[RockDoctor]

I was about 250m beyond the limit for the broadband of the time - which was dual 100kbps channels and cost about £30/day. Plus or minus 17.5% VAT, depending on whether you were a business or not (I had a friend who lived near the city's exchange and had a business for which he could justify such expense). I didn't get broadband until about 2004.

Re:

[RockDoctor]

That feature was present in command line ZIP implementations in the late 1980s. Why did WinRAR copy it?

Every GUI front-end to ZIP that I've seen (except some integrations into file managers - why I never understood) has included the capability.

It's not a feature that any member of the RAR family has over other compression protocols.

Re:

[JThundley]

Every other compressed archive can do that too.

Re:

[KiloByte]

Use of zip for anything else than decompressing historic archives should be criminalized by now. It's terrible compression that's slower than anything modern. And you can't even stream it.

Re:

[kellin]

The fact that WinRAR still has an audience just tells me that people pretty much stick with familiarity. Its why certain browsers are used more than others, why programs like Libre/Open Office look so much like Microsoft Word, etc. Its been a while since I used WinRAR, and I think I switched because I was having issues with it decompressing archives I was grabbing from torrents. I only think about using 7zip now and like others will probably just continue using it unless I have a similar issue and will be

Re:

[Anonymous Coward]

The fact that WinRAR still has an audience just tells me that people pretty much stick with familiarity.

I don't think that's fair, if you like RAR archives, your only choice is software from the creator. RAR archives can have optional features that are still not common elsewhere. If you're still mailing archives or using FAT32 thumb drives, RAR's recovery is probably a good thing.

Re: Rar compression? Why?

[heypete]

I like the fact that it has built-in error-detection and correction. Sure, I could get the same result with a zip or 7-zip file and MultiPAR, but itâ(TM)s a lot more streamlined with WinRAR.

Re:

[cfalcon]

>What niche use does rar still have?

1- RAR has always been great for multipart.
2- Many older files only exist as RAR, and in some cases, only WinRAR can unrar them (go check out the old pagemaker 7 on piratebay, for an example of something that WinRAR supports and likely nothing else).
3- RAR has always been fast. This may seem unimportant now, but it still seems to matter.

Finally, I think RAR still has better compression with .JPG or .GIF or something. I forget which one exactly, and *maybe* the newest

Re:

[ctilsie242]

One thing: Recovery records. Yes, we have ZFS and error correction in filesystems, but having ECC code follow the data around can be quite useful, just to ensure that data that has gone from drive to drive is still useful, and if damaged, there is a good chance it can be repaired. Yes, one can use PAR2 for this, but that is nowhere as easy as WinRAR... and every unarchiver can decode WinRAR, because the unrar code is public domain.

I still use (and have registered for each machine) WinRAR, because it is a

Can't block China

[Baron_Yam]

But really, haven't most of us blocked Russian (and Russian allied) state IP blocks already?

Though where I work we've had to start blocking the US as well. A lot of attacks bounce through poorly secured American computers these days.

Re:

[The-Ixian]

I have noticed that there are netblock that geo-locate to the US but are transparently owned by Yandex and other Russian companies. We see credential stuffing and other attacks from such blocks here and there. I just add them to the blacklist when they are detected.

But, yes, I block all non-US IPs for both on premises and cloud applications (Entra ID especially)

Re:

[Baron_Yam]

I do wish Entra had regional blocks. Most of the time I need 'block everything but Canada', and then add occasional additional exceptions for specific accounts... But as far as I know, that means manually including every country individually.

It'd be nice to have pre-defined locations based on continents.

7Zip

[christoban]

7Zip is better now anyway. Even the UI.

Re:

[OrangeTide]

I like the PeaZip UI. Plus it's available for Mac, Linux, and Windows. Although admittedly the UI feels out of place on a Mac, at least it works. PeaZip is just a front-end for several command-line compressors, rather than being fully integrated like 7zip. But looking only at the UI, it feels more natural to me (but I am likely very biased). If you find yourself doing repetitive compression tasks, you can do some automation with PeaZip that isn't possible with 7zip. Usually simple things like splitting arch

Re:

[christoban]

Cool! Gonna check that out.

Zero day?

[thegarbz]

Surely at this point it's 10,950 day.

Windows program riddled with malware

[RockDoctor]

"Film at 11"

I'm shocked! Shocked, I tell you!

Pease purchase WinRAR license

[Tarlus]

This is WinRAR's revenge for 20+ years of ignoring these notifications

Re:

[Drebin747]

This is what they get for not paying for WinRAR!

Re:

[Briareos]

Good thing I bought a license ~20 years ago, then - never had to update my copy since!

7zip

[kyoko21]

I prefer 7zip myself.

Someone paid

[Flavianoep]

When someone in Russia or China paid for WinRAR, it should have raised a flag.

Re:

[Anonymous Coward]

When someone in Russia or China paid for WinRAR, it should have raised a flag.

A red flag.

Re:

[mccalli]

There are those of us who paid for PKZip...

Darn

[Artem S. Tashkinov]

The worst thing about WinRAR is that it has no built-in update checker and the vast majority of people never update the application.

Re:

[account_deleted]

Comment removed based on user account deletion