#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

winrar | Breaking Cybersecurity News | The Hacker News

Category — winrar
APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware

APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware

Nov 22, 2024 Cyber Attack / Malware
The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asyncshell. The attack campaign is said to have used Hajj -themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today. Mysterious Elephant, which is also known as APT-K-47, is a threat actor of South Asian origin that has been active since at least 2022, primarily targeting Pakistani entities. The group's tactics and tooling have been found to share similarities with those of other threat actors operating in the regions, such as SideWinder, Confucius, and Bitter. In October 2023, the group was linked to a spear-phishing campaign that delivered a backdoor called ORPCBackdoor as part of attacks directed against Pakistan and other countries. The exact initial access vector employed by Mysterious Elephant in the latest campaign is not known, but
FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine

FlyingYeti Exploits WinRAR Vulnerability to Deliver COOKBOX Malware in Ukraine

May 30, 2024 Cyber Attack / Malware
Cloudflare on Thursday said it took steps to disrupt a month-long phishing campaign orchestrated by a Russia-aligned threat actor called FlyingYeti targeting Ukraine. "The FlyingYeti campaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to open malicious files via debt-themed lures," Cloudflare's threat intelligence team Cloudforce One said in a new report published today. "If opened, the files would result in infection with the PowerShell malware known as COOKBOX, allowing FlyingYeti to support follow-on objectives, such as installation of additional payloads and control over the victim's system." FlyingYeti is the denomination used by the web infrastructure company to track an activity cluster that the Computer Emergency Response Team of Ukraine (CERT-UA) is tracking under the moniker UAC-0149. Previous attacks disclosed by the cybersecurity agency have involved the use of malicious attachme
Cyber Story Time: The Boy Who Cried "Secure!"

Cyber Story Time: The Boy Who Cried "Secure!"

Nov 21, 2024Threat Detection / Pentesting
As a relatively new security category, many security operators and executives I've met have asked us "What are these Automated Security Validation (ASV) tools?" We've covered that pretty extensively in the past, so today, instead of covering the " What is ASV?" I wanted to address the " Why ASV?" question. In this article, we'll cover some common use cases and misconceptions of how people misuse and misunderstand ASV tools daily (because that's a lot more fun). To kick things off, there's no place to start like the beginning. Automated security validation tools are designed to provide continuous, real-time assessment of an organization's cybersecurity defenses. These tools are continuous and use exploitation to validate defenses like EDR, NDR, and WAFs. They're more in-depth than vulnerability scanners because they use tactics and techniques that you'll see in manual penetration tests. Vulnerability scanners won't relay hashes or combine vulnerabilities to further attacks, whic
UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware

UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware

Dec 22, 2023 Malware / Cyber Attack
The threat actor known as  UAC-0099  has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct  said  in a Thursday analysis. UAC-0099 was  first documented  by the Computer Emergency Response Team of Ukraine (CERT-UA) in June 2023, detailing its attacks against state organizations and media entities for espionage motives. The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of  LONEPAGE , a Visual Basic Script (VBS) malware that's capable of contacting a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware. "During 2022-2023, the mentioned group received unauthorized remote access to several dozen computer
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability

Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability

Dec 05, 2023 Email Security / Vulnerability
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a now-patched critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant  attributed  the intrusions to a threat actor it called  Forest Blizzard  (formerly Strontium), which is also widely tracked under the monikers APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422. The security vulnerability in question is  CVE-2023-23397  (CVSS score: 9.8), a critical privilege escalation bug that could allow an adversary to access a user's Net-NTLMv2 hash that could then be used to conduct a relay attack against another service to authenticate as the user. It was patched by Microsoft in March 2023. The goal, according to the Polish Cyber Command (DKWOC), is to obtain unauthorized access to mailboxes belonging to public and private entities in the country. "In the next stage of malici
Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks

Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks

Nov 23, 2023 Malware / Cyber Espionage
A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni , which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan (RAT) capable of extracting information and executing commands on compromised devices," Fortinet FortiGuard Labs researcher Cara Lin  said  in an analysis published this week. The  cyber espionage   group  is notable for its  targeting of Russia , with the modus operandi involving the use of spear-phishing emails and malicious documents as entry points for their attacks. Recent attacks documented by Knowsec and ThreatMon have leveraged the  WinRAR vulnerability  (CVE-2023-38831) as well as obfuscated Visual Basic scripts to drop  Konni RAT  and a Windows Batch script capable of
Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw

Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw

Nov 16, 2023 Advanced Persistent Threat / Zero-Day
A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT). Cybersecurity company NSFOCUS has described  DarkCasino  as an "economically motivated" actor that first came to light in 2021. "DarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various popular APT attack technologies into its attack process," the company  said  in an analysis. "Attacks launched by the APT group DarkCasino are very frequent, demonstrating a strong desire to steal online property." DarkCasino was most recently linked to the zero-day exploitation of  CVE-2023-38831  (CVSS score: 7.8), a security flaw that can be weaponized to launch malicious payloads. In August 2023, Group-IB disclosed real-world attacks weaponizing the vulnerability and aimed at online trading forums at least since April 2023 to deli
SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities

SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities

Nov 07, 2023 Vulnerability / Malware
The Pakistan-linked threat actor known as  SideCopy  has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a compatible version of Ares RAT. SideCopy, active since at least 2019, is  known  for its  attacks  on Indian and Afghanistan entities. It's suspected to be a sub-group of the Transparent Tribe (aka APT36) actor. "Both SideCopy and APT36 share infrastructure and code to aggressively target India," SEQRITE researcher Sathwik Ram Prakki  said  in a Monday report. Earlier this May, the group was  linked  to a phishing campaign that took advantage of lures related to India's Defence Research and Development Organization (DRDO) to deliver information-stealing malware. Since
Google TAG Detects State-Backed Threat Actors Exploiting WinRAR Flaw

Google TAG Detects State-Backed Threat Actors Exploiting WinRAR Flaw

Oct 19, 2023 Cyber Threat / Vulnerability
A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is  CVE-2023-38831  (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively exploited since at least April 2023. Google Threat Analysis Group (TAG), which  detected  the activities in recent weeks, attributed them to three different clusters it tracks under the geological monikers  FROZENBARENTS  (aka Sandworm),  FROZENLAKE  (aka APT28), and  ISLANDDREAMS  (aka APT40). The phishing attack linked to Sandworm impersonated a Ukrainian drone warfare training school in early September and distributed a malicious ZIP file exploiting CVE-2023-38831 to deliver Rhadamanthys, a commodity stealer malware which is offered for sale for $250 for a monthly subscription. APT28,
Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

Oct 16, 2023 Vulnerability / Hacking
Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems. "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as CVE-2023-38831," Cluster25  said  in a report published last week. The archive contains a booby-trapped PDF file that, when clicked, causes a Windows Batch script to be executed, which launches PowerShell commands to open a reverse shell that gives the attacker remote access to the targeted host. Also deployed is a PowerShell script that steals data, including login credentials, from the Google Chrome and Microsoft Edge browsers. The captured information is exfiltrated via a legitimate web service webhook[.]site. CVE-2023-38831 refers to a  high-severity flaw  in WinRAR that allows at
Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with Venom RAT

Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with Venom RAT

Sep 21, 2023 Vulnerability / Exploit
A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with Venom RAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as  CVE-2023-25157 ," Palo Alto Networks Unit 42 researcher Robert Falcone  said . While  bogus PoCs  have become a  well-documented gambit  for targeting the  research community , the cybersecurity firm suspected that the threat actors are opportunistically targeting other crooks who may be adopting the latest vulnerabilities into their arsenal. whalersplonk, the  GitHub account  that hosted the repository, is no longer accessible. The PoC is said to have been committed on August 21, 2023, four days after the vulnerability was publicly announced. CVE-2023-40477 relates to an  imp
WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders

WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders

Aug 24, 2023 Endpoint Security / Zero-Day
A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as  CVE-2023-38831 , allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files. It was addressed in  version 6.23  released on August 2, 2023, alongside CVE-2023-40477. In attacks discovered by the Singapore-based firm in July 2023, specially crafted ZIP or RAR archive files distributed via trading-related forums such as Forex Station have been used to deliver a variety of malware families such as DarkMe,  GuLoader , and  Remcos RAT . "After infecting devices, the cybercriminals withdraw money from broker accounts," Group-IB malware analyst Andrey Polovinkin  said , adding as many as 130 traders' devices have been compromised as part of the campaign. T
New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC

New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC

Aug 21, 2023 Vulnerability / Cyber Threat
A high-severity security flaw has been disclosed in the WinRAR utility that could be potentially exploited by a threat actor to achieve remote code execution on Windows systems. Tracked as  CVE-2023-40477  (CVSS score: 7.8), the vulnerability has been described as a case of improper validation while processing recovery volumes. "The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer," the Zero Day Initiative (ZDI)  said  in an advisory. "An attacker can leverage this vulnerability to execute code in the context of the current process." Successful exploitation of the flaw requires user interaction in that the target must be lured into visiting a malicious page or by simply opening a booby-trapped archive file. A security researcher, who goes by the alias goodbyeselene, has been credited with discovering and reporting the flaw on June 8, 2023. The issue has been address
Bug in Popular WinRAR Software Could Let Attackers Hack Your Computer

Bug in Popular WinRAR Software Could Let Attackers Hack Your Computer

Oct 21, 2021
A new security weakness has been disclosed in the WinRAR trialware file archiver utility for Windows that could be abused by a remote attacker to execute arbitrary code on targeted systems, underscoring how vulnerabilities in such software could beсome a gateway for a roster of attacks. Tracked as CVE-2021-35052, the bug impacts the trial version of the software running version 5.70. "This vulnerability allows an attacker to intercept and modify requests sent to the user of the application," Positive Technologies' Igor Sak-Sakovskiy  said  in a technical write-up. "This can be used to achieve remote code execution (RCE) on a victim's computer." The issue has since been addressed in WinRAR version 6.02 released on June 14, 2021. Sak-Sakovskiy noted that an investigation into WinRAR began after observing a JavaScript error rendered by MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office
Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

Mar 28, 2019
An Iran-linked cyber-espionage group that has been found targeting critical infrastructure , energy and military sectors in Saudi Arabia and the United States two years ago continues targeting organizations in the two nations, Symantec reported on Wednesday. Widely known as APT33 , which Symantec calls Elfin , the cyber-espionage group has been active since as early as late 2015 and targeted a wide range of organizations, including government, research, chemical, engineering, manufacturing, consulting, finance, and telecommunications in the Middle East and other parts of the world. Symantec started monitoring Elfin's attacks since the beginning of 2016 and found that the group has launched a heavily targeted campaign against multiple organizations with 42% most recent attacks observed against Saudi Arabia and 34% against the United States. Elfin targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcar
Patched WinRAR Bug Still Under Active Attack—Thanks to No Auto-Updates

Patched WinRAR Bug Still Under Active Attack—Thanks to No Auto-Updates

Mar 15, 2019
Various cyber criminal groups and individual hackers are still exploiting a recently patched critical code execution  vulnerability in WinRAR , a popular Windows file compression application with 500 million users worldwide. Why? Because the WinRAR software doesn't have an auto-update feature, which, unfortunately, leaves millions of its users vulnerable to cyber attacks. The critical vulnerability (CVE-2018-20250) that was patched late last month by the WinRAR team with the release of WinRAR version 5.70 beta 1 impacts all prior versions of WinRAR released over the past 19 years. For those unaware, the vulnerability is "Absolute Path Traversal" bug that resides in the old third-party library UNACEV2.DLL of WinRAR and allows attackers to extract a compressed executable file from the ACE archive to one of the Windows Startup folders, where the malicious file would automatically run on the next reboot. Therefore, to successfully exploit this vulnerability and tak
Latest WinRAR Flaw Being Exploited in the Wild to Hack Windows Computers

Latest WinRAR Flaw Being Exploited in the Wild to Hack Windows Computers

Feb 26, 2019
It's not just the critical Drupal vulnerability that is being exploited by in the wild  cybercriminals to attack vulnerable websites that have not yet applied patches already available by its developers, but hackers are also exploiting a critical WinRAR vulnerability that was also revealed last week. A few days ago, The Hacker News reported about a 19-year-old remote code execution vulnerability disclosed by Check Point in the UNACEV2.dll library of WinRAR that could allow a maliciously-crafted ACE archive file to execute arbitrary code on a targeted system. WinRAR is a popular Windows file compression application with 500 million users worldwide, but a critical "Absolute Path Traversal" bug (CVE-2018-20250) in its old third-party library, called UNACEV2.DLL, could allow attackers to extract a compressed executable file from the ACE archive to one of the Windows Startup folders, where the file would automatically run on the next reboot. To successfully exploit the
Warning: Critical WinRAR Flaw Affects All Versions Released In Last 19 Years

Warning: Critical WinRAR Flaw Affects All Versions Released In Last 19 Years

Feb 21, 2019
Beware Windows users... a new dangerous remote code execution vulnerability has been discovered in the WinRAR software, affecting hundreds of millions of users worldwide. Cybersecurity researchers at Check Point have disclosed technical details of a critical vulnerability in WinRAR—a popular Windows file compression application with 500 million users worldwide—that affects all versions of the software released in last 19 years. The flaw resides in the way an old third-party library, called UNACEV2.DLL, used by the software handled the extraction of files compressed in ACE data compression archive file format. However, since WinRAR detects the format by the content of the file and not by the extension, attackers can merely change the .ace extension to .rar extension to make it look normal. According to researchers, they found an "Absolute Path Traversal" bug in the library that could be leveraged to execute arbitrary code on a targeted system attempting to uncompre
Millions of PCs Found Running Outdated Versions of Popular Software

Millions of PCs Found Running Outdated Versions of Popular Software

Jan 24, 2019
It is 2019, and millions of computers still either have at least one outdated application installed or run outdated operating systems, making themselves vulnerable to online threats and known security vulnerabilities/exploits. Security vendor Avast has released its PC Trends Report 2019 revealing that millions of users are making themselves vulnerable to cyber attacks by keeping outdated versions of popular applications on their computers. Probably the most overlooked vectors for any cyber attack is out-of-date programs, which most of the times, is the result of the users' laziness and company's administrators ignoring the security updates in a business environment as they can't afford the downtime. According to the report [ PDF ],  Adobe Shockwave tops the list of software that most user left outdated on their PCs, followed by VLC Media Player, Skype, Java Runtime Environment , 7-Zip File Manager, and Foxit Reader. The outdated software applications often provide an ope
THN Weekly Roundup — 11 Most Important Hacking News Stories

THN Weekly Roundup — 11 Most Important Hacking News Stories

Oct 05, 2015
We are back with our last week's top cyber security threats and challenges, just in case you missed any of them ( ICYMI ). THN Weekly Round Up is The Hacker News efforts to help you provide all important stories of last week in one shot. We recommend you read the full story ( just click 'Read More' because there's some valuable advice in there as well ). Here's the list: 1. Quantum Teleportation — Scientists Teleported Quantum Data over 60 Miles While the world is battling between Quantum computers and Encryption , the NIST Scientists have set a new record in the field of " Quantum Teleportation "... …by successfully Teleporting a small amount of data (qubit) inside light particles over a distance of 60 Miles (100 km) through a network of optical fiber – the record which is four times faster than previous one. To know how the Quantum Teleportation works and how the researchers able to reach this record, Read More … 2. Pirate Bay co-fo
Expert Insights / Articles Videos
Cybersecurity Resources