CVE-2023-38831

Vulnerability updated 5 months ago (2024-05-04T20:16:23.652Z)
Download STIX
Preview STIX
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerability was first actively exploited mid-2022, primarily targeting Ukrainian entities. Cybersecurity researchers have noted that this zero-day vulnerability in the popular WinRAR compression tool has also been used to target traders on specialized forums. The DarkCasino threat actor group, identified by cybersecurity firm NSFOCUS, has been observed leveraging this vulnerability in attacks targeting cryptocurrency trading platforms, online casinos, and network banks worldwide. The attackers use lure documents containing malicious content that exploits the WinRAR RCE flaw, granting them access to compromised systems. In addition to HTA attachments, two other infection methods have been identified: self-extracting (SFX) archives and booby-trapped ZIP files, both exploiting the WinRAR vulnerability to distribute LONEPAGE malware. APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes, has also been linked to the exploitation of CVE-2023-38831. The group uses benign-looking lures, such as offers for BMWs for sale, to exploit the vulnerability and gain access to systems. In recent months, the group has been connected to attacks on various organizations in France and Ukraine, using the WinRAR flaw to steal browser login data via a PowerShell script named IRONJAW.
Description last updated: 2024-03-17T13:16:45.883Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
WinRAR
Google
Vulnerability
Malware
ngrok
Microsoft
Exploit
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The KONNI Malware is associated with CVE-2023-38831. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian EmbaUnspecified
3
The EVILNUM Malware is associated with CVE-2023-38831. Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even hoUnspecified
2
The Lonepage Malware is associated with CVE-2023-38831. Lonepage is a malicious software (malware) that has been actively utilized by the threat actor UAC-0099 since mid-2022 to compromise Ukrainian entities. This malware, along with others like Clogflag, Seaglow, and Overjam, is used to spy on victims and steal data. The operation employs phishing messaTargets
2
The Phantomdl Malware is associated with CVE-2023-38831. PhantomDL is a malicious software (malware) associated with the cybercriminal group known as Head Mare, which has been linked to targeted attacks on Russian organizations. This custom-made malware, along with PhantomCore, exploits a relatively new vulnerability, CVE-2023-38831, in phishing campaignsUnspecified
2
The Phantomcore Malware is associated with CVE-2023-38831. PhantomCore is a sophisticated malware, which is part of a suite of custom-made malicious software that includes PhantomDL. This malware has been used in targeted phishing campaigns to infiltrate victim infrastructure by exploiting a relatively new vulnerability, CVE-2023-38831. Once executed, the mUnspecified
2
The Bumblebee Malware is associated with CVE-2023-38831. Bumblebee is a type of malware that has been linked to ITG23, a cybercriminal group known for its use of crypters such as Emotet, IcedID, Qakbot, Bumblebee, and Gozi. Distributed via phishing campaigns or compromised websites, Bumblebee enables the delivery and execution of further payloads. The samUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with CVE-2023-38831. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whiUnspecified
4
The APT28 Threat Actor is associated with CVE-2023-38831. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on thTargets
4
The Cozy Bear Threat Actor is associated with CVE-2023-38831. Cozy Bear, also known as APT29 and associated with names like Midnight Blizzard, Nobelium, and The Dukes, is a threat actor believed to be linked with the Russian state. This group has been involved in numerous cyber espionage activities, demonstrating proficiency across multiple operating systems aTargets
3
The APT29 Threat Actor is associated with CVE-2023-38831. APT29, also known as Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, is a Russia-linked threat actor associated with SVR. This group is notorious for its sophisticated cyber espionage tactics, techniques, and procedures. APT29 often uses The Onion Router (TOR) network, leased and compromised Unspecified
3
The The Dukes Threat Actor is associated with CVE-2023-38831. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, and Nobelium, is a threat actor associated with the Russian government that has been active since at least 2008. Notably, this group was implicated in the 2015 attack on the American Democratic National Committee (DNC). The FBI alerted thTargets
2
The Darkcasino Threat Actor is associated with CVE-2023-38831. DarkCasino is a threat actor that has recently emerged in the cybersecurity landscape. As a malicious entity, it's responsible for executing actions with potentially harmful intent. The nature of such entities can range from individual hackers to more organized groups affiliated with private companiUnspecified
2
The APT40 Threat Actor is associated with CVE-2023-38831. APT40, a Chinese cyber espionage group suspected to be affiliated with China's Ministry of State Security, has been actively conducting cyberespionage campaigns against government and private organizations in multiple countries. This threat actor typically targets nations strategically significant tUnspecified
2
Source Document References
Information about the CVE-2023-38831 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
22 days ago
Securityaffairs
a month ago
Securelist
2 months ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
DARKReading
5 months ago
Securityaffairs
5 months ago
Securelist
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago