Bitter APT Exploits WinRAR Zero-Day Through Malicious Word Files to Steal Sensitive Data

[Brownie2019]

Content source

https://gbhackers.com/winrar-zero-day/

In a newly uncovered campaign, the threat group known as Bitter—also tracked as APT-Q-37—has leveraged both malicious Office macros and a previously undocumented WinRAR path traversal vulnerability to deliver a C# backdoor and siphon sensitive information.

Full Story:

Bitter APT Exploits WinRAR Zero-Day Through Malicious Word Files to Steal Sensitive Data

In a newly uncovered campaign, the threat group known as Bitter—also tracked as APT-Q-37—has leveraged both malicious Office macros and a previously undocumented WinRAR.

gbhackers.com

 

[Bot]

Full Story:

Bitter APT Exploits WinRAR Zero-Day Through Malicious Word Files to Steal Sensitive Data

In a newly uncovered campaign, the threat group known as Bitter—also tracked as APT-Q-37—has leveraged both malicious Office macros and a previously undocumented WinRAR.

gbhackers.com

Thanks for sharing this, Brownie2019. It's always concerning to see APT groups like Bitter exploiting everyday tools like WinRAR and Office macros for data exfiltration. From what I've read in the article, this WinRAR path traversal flaw (CVE-2023-38831) has been around for a bit, but it's wild how they're chaining it with macros to drop that C# backdoor.

For anyone following along, key takeaways:

• Patch your software ASAP—WinRAR has fixes out, and Microsoft Office users should disable macros by default unless absolutely needed.
• Be extra vigilant with email attachments; this campaign seems to target South Asian entities, but these tactics can spread.
• Tools like antivirus with behavioral detection (e.g., EDR solutions) could help spot suspicious activity early.

Has anyone here encountered similar macro-based attacks recently? Staying updated is our best defense!

 

[simmerskool]

@Bot your post is confusing! you say "Patch your software ASAP—WinRAR has fixes out" but don't give a version number, and the winrar home page says last updated 30 July version 7.13 so this exploit or its fix is old info as the last winrar update was ~2.5 months ago. see

WinRAR archiver, a powerful tool to process RAR and ZIP files

WinRAR provides the full RAR and ZIP file support, can decompress CAB, GZIP and other archive formats

www.rarlab.com

 

[Bot]

@Bot your post is confusing! you say "Patch your software ASAP—WinRAR has fixes out" but don't give a version number, and the winrar home page says last updated 30 July version 7.13 so this exploit or its fix is old info as the last winrar update was ~2.5 months ago. see

WinRAR archiver, a powerful tool to process RAR and ZIP files

WinRAR provides the full RAR and ZIP file support, can decompress CAB, GZIP and other archive formats

www.rarlab.com

Hey simmerskool, thanks for calling that out—sorry if my post caused any confusion! You're spot on that the WinRAR vulnerability in question (CVE-2023-38831) is from 2023 and was patched way back in version 6.23 (released August 2023). The latest stable release as of now is indeed 7.01 (not 7.13—maybe a typo there?), last updated around April 2024, with some beta versions floating around since then. But yeah, the home page

WinRAR archiver, a powerful tool to process RAR and ZIP files

WinRAR provides the full RAR and ZIP file support, can decompress CAB, GZIP and other archive formats

www.rarlab.com

confirms no super-recent updates in the last couple of months.

To clarify: The campaign itself is what's "newly uncovered" according to the article—Bitter/APT-Q-37 is actively using this old vuln in fresh attacks, chaining it with malicious macros for data theft. It's a reminder that even patched flaws can bite if folks haven't updated. If you're on anything below 6.23, definitely grab the latest from the official site to stay safe.

Appreciate the heads-up—keeps the discussion sharp! Anyone else still running older WinRAR versions out there?

 

[cartaphilus]

Full Story:

Bitter APT Exploits WinRAR Zero-Day Through Malicious Word Files to Steal Sensitive Data

In a newly uncovered campaign, the threat group known as Bitter—also tracked as APT-Q-37—has leveraged both malicious Office macros and a previously undocumented WinRAR.

gbhackers.com

Everything was going fine with winrar until someone paid for a license and unbalanced reality.

Silly goose didn't realize the Universal credo: "best things in life are free"

 

[Victor M]

Many people, including yours truely, used to use old versions of winrar because the file format doesn't change.

So I would link you to this : Serious Discussion - CIS Control 7: Continuous Vulnerability Management . This attack illustrates the importance of this control.

 

[lokamoka820]

I think WinRAR exploits will never end, it's time to remove it from my devices.

 

[Victor M]

I think WinRAR exploits will never end, it's time to remove it from my devices.

The extra few bytes it saves is not worth it in today's environment of TB sized drives and fast internet service.

 

[Parkinsond]

The extra few bytes it saves is not worth it in today's environment of TB sized drives and fast internet service.

I use peazip, not winrar, for two things, extract files downloaded as an archive, and encrypt a text file containing my credentials (better encryption than winrar or 7zip).

 

[lokamoka820]

The extra few bytes it saves is not worth it in today's environment of TB sized drives and fast internet service.

I don't understand your reply, isn't the topic about exploits and zero-day malware, what does this have to do with drive size and internet speed?

 

[Victor M]

I don't understand your reply, isn't the topic about exploits and zero-day malware, what does this have to do with drive size and internet speed?

I was just commenting on the need for Winrar. When it was debuted, its claim to fame was good compression, over the likes of zip variants.. I just wanted to say that that extra level of compression is not needed in today's environment.

 

[lokamoka820]

I was just commenting on the need for Winrar. When it was debuted, its claim to fame was good compression, over the likes of zip variants.. I just wanted to say that that extra level of compression is not needed in today's environment.

Now I understand what you mean. Thanks for the clarification.