Get in Touch
Indiscriminate, opportunistic targeting.
A vulnerability has been identified within WinRAR which allows a threat actor to execute arbitrary code under the context of the current process on Windows systems. This is described as a flaw within the processing of recovery volumes, which results from a lack of proper validation of user-supplied data. This vulnerability is being tracked as CVE-2023-40477 (CVSS score: 7.8).
Successful exploitation of this vulnerability would allow a threat actor to execute code in the context of the current process. For exploitation of this vulnerability to occur, user interaction is required. This is achieved by the user opening a malicious archive file or navigating to a malicious page.
A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against known threats. EDRs can alert system users of potential breaches and prevent further progress prior to the malware being able to implement significant damage. Security updates have been released regarding this vulnerability, leaving versions 6.22 and below vulnerable to exploitation.
WinRAR versions 6.22 and below.
Containment, Mitigations & Remediations
Users are advised to upgrade their version of WinRAR to apply the latest security update (6.23) which addresses this vulnerability.
Indicators of Compromise
There are no specific Indicators of Compromise (IoCs) available at the time of writing.
WinRAR is a widely used file archiving tool for Windows systems developed by RARLAB’s. Due to the fact that RARLAB’s products have become an integral aspect of business operations, threat actors will continue to exploit the vulnerabilities of these product types in an attempt to exfiltrate sensitive data contained therein or impact associated business operations.
No attribution to specific threat actors or groups has been identified at the time of writing.
T1203 – Exploitation for Client Execution
T1204 – User Execution