virus logo Threat Signal Report

WinRAR ZIP Arbitrary Code Execution Vulnerability (CVE-2023-38831)

Description

What is WinRAR? WinRAR is a popular utility tool for file compression/decompression and archive management.
What is the Attack? CVE-2023-38831 is an arbitrary code execution vulnerability that affects WinRAR before version 6.23. The vulnerability allows threat actors to create a zip file that contains a folder and a file with the same filename. Opening (some refer to this as "viewing") the file launches a malicious script in the folder.
Why is this Significant? This is significant because WinRAR is widely used and CVE-2023-38831 was reportedly exploited as a 0-day in April 2023. As a result, multiple malware families have reportedly been deployed. FortiGuard Labs strongly recommends all users of WinRAR to update to the latest version of WinRAR as soon as possible.
What is the Vendor Solution?
The vendor has released WinRAR version 6.23 that includes a fix for CVE-2023-38831.
What FortiGuard Coverage is available? FortiGuard Labs has the following AV signatures against the files reportedly used in attacks involving CVE-2023-38831:
W32/Darkme.A!tr
W32/NDAoF
PossibleThreat.DU
W32/VB_AGen.EX!tr
W32/ETCH!tr
NSIS/Injector.15D3!tr
PossibleThreat.FORTIEDR.H
W32/PossibleThreat
Malicious_Behavior.SB
Webfiltering blocks all reported network IOCs.

Appendix

CVE-2023-38831 (MITRE)

Latest changes in WinRAR (Rarlab)

Traders' Dollars in Danger: CVE-2023-38831 zero-Day vulnerability in WinRAR exploited by cybercriminals to target traders (Group-IB)


ID 64
Date Aug 24, 2023
CVE ID CVE-2023-38831
Threat/
Vulnerability		 Vulnerability
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services