The notorious Bitter APT is at it again, this time recycling an old vulnerability that security professionals thought everyone would have patched by now. Seriously, folks – CVE-2023-38831 was disclosed last August. That’s ancient history in cyber time. Yet here we are, watching sophisticated threat actors exploit the same WinRAR flaw to deliver nasty backdoors to unsuspecting victims.
This vulnerability is deceptively simple but devastatingly effective. It exploits a logical flaw in how WinRAR (pre-version 6.23) handles ZIP archives containing both a legitimate-looking file and a folder with the same name plus a trailing space. Double-click that innocent PDF or JPG, and boom – you’re running malicious code. No fancy zero-days needed. Just good old user gullibility and unpatched software.
Bitter APT isn’t the first to leverage this vulnerability. The flaw has been in active exploitation since at least April 2023, initially by cybercrime groups targeting financial traders. After public disclosure, proof-of-concept code spread like wildfire on GitHub. Now everyone’s got their hands on it.
What started as a targeted financial attack has become the cyber equivalent of a public utility, freely available to anyone with malicious intent.
The attack chain is painfully straightforward. Victims receive spear-phishing emails with suspicious ZIP attachments. Inside lurks what appears to be a legitimate document alongside a hidden folder containing executable malware. One click later, and victims have unwittingly installed DarkMe, GuLoader, Remcos, or any number of other nasty payloads. The execution of malicious content relies on WinRAR’s failure to properly handle path normalization issues with trailing spaces in directory names.
What’s particularly concerning is the global reach. Financial institutions, government entities, energy companies, and cryptocurrency businesses have all been targeted. The vulnerability received a CVSS score of 7.8 indicating its high severity and potential impact.
And with APT groups like Bitter, DarkMe, UAC-0057, APT40, Konni, and SandWorm all exploiting this vulnerability, the threat landscape is crowded with dangerous actors.
The fix? Update WinRAR to version 6.23 or later. That was the solution months ago, and it’s still the solution today. Yet here we are, watching sophisticated attacks succeed with recycled exploits. Some things never change.
