A hacker's bad joke can turn into a problem for more than 500 million WinRAR users.
According to a study by Palo Alto Networks, a cybercriminal known as "whalersplonk" took advantage of the Remote Code Execution (RCE) vulnerability in WinRAR (CVE-2023-40477), which was made public in August. The attacker quickly assembled a convincing but fake PoC exploit (Proof of Concept) for the bug, which he posted in the GitHub repository, knowing that the vulnerability would attract attention — WinRAR has more than 500 million users worldwide.
The CVE-2023-40477 issue is related to insufficient verification of user-provided data while working with recovery volumes. In August, WinRAR fixed the flaw with the release of version 6.23.
According to the researchers, the PoC was plausible because it was based on publicly available PoC code for the SQL injection vulnerability in the GeoServer application. Once discovered, the exploit triggered a chain of infection that ended with the installation of the VenomRAT payload on victims computers, enabling the hacker to manage the infected system without the user's knowledge, collect information about the system, bypass antivirus solutions, and download additional modules to expand their capabilities.
At first glance, the attack may seem to be part of attacks on security researchers using spy tools, but Palo Alto experts believe that in fact it was more of a joke for the criminal.
According to a study by Palo Alto Networks, a cybercriminal known as "whalersplonk" took advantage of the Remote Code Execution (RCE) vulnerability in WinRAR (CVE-2023-40477), which was made public in August. The attacker quickly assembled a convincing but fake PoC exploit (Proof of Concept) for the bug, which he posted in the GitHub repository, knowing that the vulnerability would attract attention — WinRAR has more than 500 million users worldwide.
The CVE-2023-40477 issue is related to insufficient verification of user-provided data while working with recovery volumes. In August, WinRAR fixed the flaw with the release of version 6.23.
According to the researchers, the PoC was plausible because it was based on publicly available PoC code for the SQL injection vulnerability in the GeoServer application. Once discovered, the exploit triggered a chain of infection that ended with the installation of the VenomRAT payload on victims computers, enabling the hacker to manage the infected system without the user's knowledge, collect information about the system, bypass antivirus solutions, and download additional modules to expand their capabilities.
At first glance, the attack may seem to be part of attacks on security researchers using spy tools, but Palo Alto experts believe that in fact it was more of a joke for the criminal.
