CVE-2023-38831

What is WinRAR?

WinRAR is the world's most widely-used file archiving utility, with over 500 million users globally. It supports multiple archive formats including RAR and ZIP, and is used across trading communities, gaming forums, and enterprises for file distribution and management. Because ZIP files are routinely shared as attachments and downloads — and because users habitually double-click files within archives to open them — a vulnerability that triggers code execution when a user appears to open a benign file is one of the most powerful and reliable initial access vectors available.

Overview

CVE-2023-38831 is a code execution vulnerability in WinRAR where a specially crafted ZIP archive causes WinRAR to execute a malicious file when the user attempts to view what appears to be a benign file (e.g., a PDF or image). The vulnerability was exploited in the wild for approximately four months before discovery, with Group-IB tracing active campaigns targeting financial traders back to April 2023. At least eight distinct threat groups exploited it, including state-sponsored APT groups from Russia, China, and financially motivated actors. RARLAB patched it in WinRAR 6.23 on August 23, 2023.

Affected Versions

WinRAR does not auto-update; users must manually download and install the latest version.

Technical Details

The vulnerability (CWE-345 — insufficient verification of data authenticity) exploits a quirk in how WinRAR processes ZIP archives that contain both a file and a same-named folder. For example, a ZIP archive may contain:

• invoice.pdf (a benign-looking PDF)
• invoice.pdf/ (a folder with the same name as the PDF)
• invoice.pdf/malware.cmd (an executable hidden inside the folder)

When the user double-clicks invoice.pdf in WinRAR to preview it, WinRAR's processing incorrectly executes files from the same-named folder rather than opening the apparent PDF. This allows an attacker to deliver a ZIP archive that, when a user views a seemingly safe file, silently executes a malicious script, batch file, or executable.

Crafting such archives is trivial for an attacker, and the lure content (the visible "PDF" or "image") can be made indistinguishable from a legitimate file, making this exceptionally effective in phishing campaigns.

Discovery

Group-IB researchers discovered the zero-day during threat intelligence analysis of malicious archives circulating in online trading communities. They traced active exploitation back to April 2023 — meaning the vulnerability was weaponized for roughly four months before any patch existed. Group-IB disclosed responsibly to RARLAB, and WinRAR 6.23 was released the same day Group-IB published their public advisory.

Exploitation Context

CVE-2023-38831 saw some of the broadest nation-state exploitation of any single vulnerability in 2023. Google's Threat Analysis Group documented its use by at least four distinct state-sponsored groups:

• APT28 (Russia/Fancy Bear): Targeting European political organizations and Ukrainian government entities
• APT40 (China/TEMP.Periscope): Targeting Papua New Guinea government
• Sandworm (Russia/GRU): Targeting Ukrainian entities
• Financially motivated actors: Targeting cryptocurrency trading forums and financial sector organizations

The trading community angle was particularly effective: attacker-controlled accounts in online trading forums posted archives purportedly containing trading strategies, scripts, or tools — legitimate-looking content that traders routinely download and open.

Remediation

1. Update WinRAR to version 6.23 or later — download from win-rar.com and install. WinRAR does not auto-update.
2. Consider deploying enterprise-wide WinRAR updates via software management tools (SCCM, Intune, PDQ) — manual updates are easily missed at scale.
3. Consider alternative archive tools with automatic update mechanisms (7-Zip, Windows' built-in ZIP support) that do not have this class of vulnerability in their current versions.
4. Educate users — archive files received from unknown sources or unexpected senders warrant extra scrutiny, particularly those containing financial strategy documents, trading tools, or similar high-interest bait content.
5. Deploy email and web gateway filtering to detect and block malicious archive files — security vendors updated their signatures to detect CVE-2023-38831 exploitation patterns after the August 2023 disclosure.
6. Review endpoint detection alerts for suspicious processes launched by WinRAR.exe — EDR/AV tools should now flag the characteristic exploitation pattern.