LR pixel

What is WinRAR?

WinRAR is a popular utility tool for file compression/decompression and archive management.

What is the Attack?

CVE-2023-38831 is an arbitrary code execution vulnerability that affects WinRAR before version 6.23. The vulnerability allows threat actors to create a zip file that contains a folder and a file with the same filename. Opening (some refer to this as “viewing”) the file launches a malicious script in the folder.

Why is this Significant?

This is significant because WinRAR is widely used and CVE-2023-38831 was reportedly exploited as a 0-day in April 2023. As a result, multiple malware families have reportedly been deployed. FortiGuard Labs strongly recommends all users of WinRAR to update to the latest version of WinRAR as soon as possible.

What is the Vendor Solution?

The vendor has released WinRAR version 6.23 that includes a fix for CVE-2023-38831.

What FortiGuard Coverage is available?

FortiGuard Labs has the following AV signatures against the files reportedly used in attacks involving CVE-2023-38831:

W32/Darkme.A!tr
W32/NDAoF
PossibleThreat.DU
W32/VB_AGen.EX!tr
W32/ETCH!tr
NSIS/Injector.15D3!tr
PossibleThreat.FORTIEDR.H
W32/PossibleThreat
Malicious_Behavior.SB

Webfiltering blocks all reported network IOCs.