"august 2023, rarlabs released an updated version of winrar that included fixes for several security - related bugs. one of those bugs, later assigned cve - 2023 - 38831, is a logical vulnerability within winrar causing extraneous temporary file expansion when processing crafted a…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.001Spearphishing Attachment
97%
"spear - phishing campaign targeting ukrainian government organizations hosted on api endpoint testing services on september 4th, cert - ua posted about frozenlake ( aka apt28 ), a group attributed to russian gru, using cve - 2023 - 38831 to deliver malware targeting energy infras…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
96%
"“ imagingdevices. exe ” to “ currentversion \ run ” registry key. it then decodes several layers of shellcode, the last of which is generated using donut, that loads and executes the final payload, boxrat, in - memory. boxrat is a. net backdoor that uses dropbox api as a c2 mecha…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
93%
"government - backed actors exploiting winrar vulnerability government - backed actors exploiting winrar vulnerability in recent weeks, google ’ s threat analysis group ’ s ( tag ) has observed multiple government - backed hacking groups exploiting the known vulnerability, cve - 2…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
87%
"##14b44c24c16308da0ef0e5aab36b7a601b310d12f8b925f359e7 ) was uploaded to virustotal on september 11th. the sample exploits cve - 2023 - 38831 to drop a bat file which opens a decoy pdf file and creates a reverse ssh shell to an attacker controlled ip address, and executes ironjaw…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1560.001Archive via Utility
65%
"government - backed actors exploiting winrar vulnerability government - backed actors exploiting winrar vulnerability in recent weeks, google ’ s threat analysis group ’ s ( tag ) has observed multiple government - backed hacking groups exploiting the known vulnerability, cve - 2…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.001Malicious Link
62%
"tunnel were new additions to the typical frozenlake toolkit. islanddreams delivering boxrat in campaign targeting papua new guinea tag has also observed government - backed groups linked to china exploit cve - 2023 - 38831. in late august, islanddreams ( aka apt40 ) launched a ph…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.002Spearphishing Link
58%
"path to be taken ). this quirk in shellexecute, causing the default extension search logic to be applied when attempting to open a file with an extension containing spaces is what causes “ poc. png _. cmd ” to be selected and inadvertently run, even though it was not the file the…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
50%
"##31. vulnerability consider the following archive structure : when a user double - clicks on a benign “ poc. png _ ” ( underscore is used to indicate a space ) from winrar ’ s user interface, winrar prior to 6. 23 will instead execute “ poc. png _ / poc. png _. cmd ”. after a us…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1027.015Compression
50%
"government - backed actors exploiting winrar vulnerability government - backed actors exploiting winrar vulnerability in recent weeks, google ’ s threat analysis group ’ s ( tag ) has observed multiple government - backed hacking groups exploiting the known vulnerability, cve - 2…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1566.001Spearphishing Attachment
48%
"path to be taken ). this quirk in shellexecute, causing the default extension search logic to be applied when attempting to open a file with an extension containing spaces is what causes “ poc. png _. cmd ” to be selected and inadvertently run, even though it was not the file the…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
42%
"tunnel were new additions to the typical frozenlake toolkit. islanddreams delivering boxrat in campaign targeting papua new guinea tag has also observed government - backed groups linked to china exploit cve - 2023 - 38831. in late august, islanddreams ( aka apt40 ) launched a ph…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.002Malicious File
40%
"path to be taken ). this quirk in shellexecute, causing the default extension search logic to be applied when attempting to open a file with an extension containing spaces is what causes “ poc. png _. cmd ” to be selected and inadvertently run, even though it was not the file the…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Google's Threat Analysis Group analyzes recent state-sponsored campaigns exploiting the WinRAR vulnerability, CVE-2023-38831.