CVE-2023-38831

Vulnerability updated 7 months ago (2024-05-04T20:16:23.652Z)
Download STIX
Preview STIX
CVE-2023-38831 is a critical vulnerability identified in the WinRAR software, with a CVSS score of 7.8, indicating high severity. This flaw in software design or implementation has been exploited to disseminate the LONEPAGE malware through ZIP files using an exploit known as UAC-0099. The vulnerability was first actively exploited mid-2022, primarily targeting Ukrainian entities. Cybersecurity researchers have noted that this zero-day vulnerability in the popular WinRAR compression tool has also been used to target traders on specialized forums. The DarkCasino threat actor group, identified by cybersecurity firm NSFOCUS, has been observed leveraging this vulnerability in attacks targeting cryptocurrency trading platforms, online casinos, and network banks worldwide. The attackers use lure documents containing malicious content that exploits the WinRAR RCE flaw, granting them access to compromised systems. In addition to HTA attachments, two other infection methods have been identified: self-extracting (SFX) archives and booby-trapped ZIP files, both exploiting the WinRAR vulnerability to distribute LONEPAGE malware. APT29, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes, has also been linked to the exploitation of CVE-2023-38831. The group uses benign-looking lures, such as offers for BMWs for sale, to exploit the vulnerability and gain access to systems. In recent months, the group has been connected to attacks on various organizations in France and Ukraine, using the WinRAR flaw to steal browser login data via a PowerShell script named IRONJAW.
Description last updated: 2024-03-17T13:16:45.883Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
WinRAR
Google
Vulnerability
Malware
ngrok
Microsoft
Exploit
Apt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The KONNI Malware is associated with CVE-2023-38831. Konni is a malicious software (malware) linked to North Korea, specifically associated with the state-sponsored Kimsuky group. This advanced persistent threat (APT) has been active since at least 2021, focusing on high-profile targets such as the Russian Ministry of Foreign Affairs, the Russian EmbaUnspecified
3
The EVILNUM Malware is associated with CVE-2023-38831. Evilnum is a form of malware, first observed and reported in 2018, that is designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge, and can steal personal information, disrupt operations, or even hoUnspecified
2
The Lonepage Malware is associated with CVE-2023-38831. Lonepage is a malicious software (malware) that has been actively utilized by the threat actor UAC-0099 since mid-2022 to compromise Ukrainian entities. This malware, along with others like Clogflag, Seaglow, and Overjam, is used to spy on victims and steal data. The operation employs phishing messaTargets
2
The Phantomdl Malware is associated with CVE-2023-38831. PhantomDL is a malicious software (malware) associated with the cybercriminal group known as Head Mare, which has been linked to targeted attacks on Russian organizations. This custom-made malware, along with PhantomCore, exploits a relatively new vulnerability, CVE-2023-38831, in phishing campaignsUnspecified
2
The Phantomcore Malware is associated with CVE-2023-38831. PhantomCore is a sophisticated malware, which is part of a suite of custom-made malicious software that includes PhantomDL. This malware has been used in targeted phishing campaigns to infiltrate victim infrastructure by exploiting a relatively new vulnerability, CVE-2023-38831. Once executed, the mUnspecified
2
The Bumblebee Malware is associated with CVE-2023-38831. Bumblebee is a type of malware that has been linked to ITG23, a cyber threat group. Over the past year, it has been used in conjunction with other initial access malwares such as Emotet, IcedID, Qakbot, and Gozi during ITG23 attacks. The same values for self-signed certificates seen in Bumblebee havUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sandworm Threat Actor is associated with CVE-2023-38831. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
4
The APT28 Threat Actor is associated with CVE-2023-38831. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC) Targets
4
The Cozy Bear Threat Actor is associated with CVE-2023-38831. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy Targets
3
The APT29 Threat Actor is associated with CVE-2023-38831. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw Unspecified
3
The The Dukes Threat Actor is associated with CVE-2023-38831. The Dukes, also known as APT29, Cozy Bear, Midnight Blizzard, Nobelium, and BlueBravo, is a threat actor associated with the Russian government. The group has been active since at least 2008 and has targeted various governments, think tanks, diplomatic entities, and political parties. Notably, in SeTargets
2
The Darkcasino Threat Actor is associated with CVE-2023-38831. DarkCasino is a threat actor that has recently emerged in the cybersecurity landscape. As a malicious entity, it's responsible for executing actions with potentially harmful intent. The nature of such entities can range from individual hackers to more organized groups affiliated with private companiUnspecified
2
The APT40 Threat Actor is associated with CVE-2023-38831. APT40, a threat actor attributed to China, is a cyber espionage group that primarily targets countries of strategic importance to the Belt and Road Initiative. The group is known for its use of a variety of attack vectors, notably spear-phishing emails posing as individuals likely to be of interest Unspecified
2
Source Document References
Information about the CVE-2023-38831 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CISA
6 days ago
DARKReading
2 months ago
Securityaffairs
3 months ago
Securelist
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
DARKReading
6 months ago
Securityaffairs
6 months ago
Securelist
6 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago