Cybercriminals have exploited a vulnerability allowing them to spoof file extensions. This means they can hide the launch of malicious scripts within archives pretending to be common file types such as .jpg, .txt, etc. This vulnerability was reported to both RARLAB and MITRE Corporation, with the latter assigning it the identifier CVE-2023-38831. Notably, the cybercriminals have used ZIP archives to deliver various malware families such as DarkMe, GuLoader, and Remcos RAT.
Impact:
- Distributed through specialist forums for traders, 130 traders' devices are currently known to be infected.
- While the total number of infected devices remains uncertain, the cybercriminals have been withdrawing money from broker accounts.
- The cybercriminals are leveraging this vulnerability to distribute tools previously used in the DarkCasino campaign as described by NSFOCUS.
This KQL query is designed specifically for use with Microsoft Defender for Endpoint (MDE). The main table utilized in the query is DeviceFileEvents.
- Timestamp: When the event occurred.
- DeviceName: Name of the device where the event was logged.
- Filename with extension: Actual name of the file.
- Shown File Name: The file name as presented to the user (potential spoofed name).
- FolderPath: Path of the file.
- SHA256: Hash of the file.
- Known Hash?: Indicates whether the file's hash matches any known malicious hash.
- User Account: Account initiating the process.
- The Indicators of Compromise (IOCs) used in this query are sourced from Group-IB's analysis of CVE-2023-38831.(https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/)
- The Proof of Concept (PoC) for this vulnerability was generated using the exploit generator by b1tg, available at b1tg's GitHub repository.(https://github.com/b1tg/CVE-2023-38831-winrar-exploit)
- This KQL query is basic in nature and does not guarantee comprehensive detection of malicious activity. It is important to continually refine and expand the search criteria based on evolving threats.
- The hash values used in the query are sourced from a specific site (https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/) and often relate to complete archives. As such, the "Known Hash?" column should be treated with caution.
- It's crucial to understand that the results from this query do not guarantee a compromise. There might be legitimate business use cases that can produce similar results. Always investigate and interpret the findings in the context of your environment.
All information provided is "as is" without any guarantees. Use of this information and the provided query is at your own risk and responsibility.