CVE-2023-38831 is a critical vulnerability found in RARLab’s WinRAR file archiver before version 6.23. This bug allows attackers to execute malicious code on your machine simply by tricking you into opening a seemingly harmless file—often a picture—in a specially crafted ZIP archive. This flaw has already been abused by hackers worldwide, and understanding how it works is essential for anyone who handles ZIP files regularly.
What Is CVE-2023-38831?
In simple terms, this vulnerability happens because WinRAR didn’t properly handle ZIP archives containing a combination of files and folders with the same name. An attacker can create a ZIP file with:
A benign-looking file (like picture.jpg)
- A folder with the same name as the file (picture.jpg/), which actually contains a malicious executable (like script.bat or malware.exe).
When a user tries to open the benign file in WinRAR, the contents of the malicious folder are executed instead, leading to automatic malware execution.
Why Is It Dangerous?
This trick relies on the fact that people often download ZIP files from the internet—for example, from emails, Telegram, Discord, or forums. When you open the ZIP, you might see something that looks totally safe—a resume, a PDF file, a video, or an image. But clicking it can run a hidden malware script without warning.
Between April and August 2023, researchers saw cybercriminals exploit this bug to spread infostealers, remote access trojans, and ransomware. Sometimes, the attacks targeted people interested in cryptocurrency, job offers, or pirated software.
Under the Hood: How Does the Exploit Work?
Here’s a step-by-step of how a hacker would set this up (see Kaspersky’s detailed breakdown):
ZIP everything together so the top level of the archive has
When the victim tries to open photo.jpg in WinRAR
- Instead of opening photo.jpg, WinRAR runs the batch file (runme.bat) inside the folder photo.jpg, because of how it handles files and folders with the same name.
You can simulate this on Windows (for educational use only)
REM Create a benign-looking JPG
echo "Not an actual image" > photo.jpg
REM Create a folder with the same name
mkdir "photo.jpg"
REM Prepare a malicious script
echo echo Hacked! > "photo.jpg\runme.bat"
REM Zip them together
"C:\Program Files\WinRAR\WinRAR.exe" a -afzip exploit.zip photo.jpg photo.jpg\
When the victim opens photo.jpg in WinRAR, runme.bat is executed instead.
Real-World Exploitation
- Group-IB’s research found this bug being used against traders and crypto enthusiasts.
- Kaspersky analysis provides technical details of how the vulnerability was weaponized.
- Bleeping Computer’s report discussed Russian-speaking groups exploiting this issue since April 2023.
How Can You Protect Yourself?
- Upgrade WinRAR: Download version 6.23 or later from rarlab.com.
- Don’t open suspicious archives: Be wary of ZIP, RAR, or other archive files from unknown sources.
- Verify before opening: Even if a file seems safe (.jpg, .pdf), if it’s inside an archive you received from somewhere suspicious, treat it with caution.
References
- CVE-2023-38831 Advisory
- Kaspersky blog: Technical deep dive
- Group-IB blog: In-the-wild exploitation
- BleepingComputer: Attack reports
- RARLab WinRAR download page
In Closing
CVE-2023-38831 is a clever but sneaky trick, showing how even experienced users can get hit by something as simple as opening a ZIP file. The best way to stay safe is to keep your software up-to-date and always treat unexpected files with suspicion—especially when hackers are actively exploiting new tricks like this.
Timeline
Published on: 08/23/2023 17:15:00 UTC
Last modified on: 08/29/2023 16:02:00 UTC