Vulnerability Management, Patch/Configuration Management, Malware

Attacks exploiting WinRAR vulnerability tied to Ukraine

Several Russian companies have been subjected to intrusions exploiting the already-patched WinRAR vulnerability, tracked as CVE-2023-38831, by the PhantomCore cyberespionage operation, which has been linked to Ukraine, reports The Record, a news site by cybersecurity firm Recorded Future.

Attacks commenced with the distribution of phishing emails with a contract-spoofing PDF document and a password-protected RAR archive, which when executed delivers the PhantomRAT remote access malware that allows data exfiltration, a report from Russian Group-IB spinoff F.A.C.C.T revealed. While three PhantomRAT test samples were discovered to be from Ukraine, such an attribution could not be verified by most Western cybersecurity firms due to being cut off from Russian networks following the Russia-Ukraine war.

Check Point researchers confirmed the operational nature of PhantomRAT. However, attack activity linked to PhantomCore has not been identified by Microsoft, according to Microsoft Director of Threat Intelligence Strategy Sherrod DeGrippo, who also noted that the usage of RAR archives for malware delivery has already been found in previous attack campaigns.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.