Defending Against the Amamarth-Dragon WinRAR Exploit: Critical Patching and Detection Strategies

A new wave of cyber-espionage attacks attributed to the Chinese threat group known as 'Amamarth-Dragon' (also tracked as Storm-0062) is actively exploiting a critical vulnerability in WinRAR. As this utility is ubiquitous in enterprise environments for data compression and archiving, this campaign represents a significant risk to organizations worldwide.

For defenders, the primary concern is the delivery method: the attackers are leveraging archive files to bypass traditional security controls and execute malicious code on user endpoints. This post outlines the technical details of the threat and provides actionable detection queries and remediation steps to secure your environment.

Technical Analysis

Check Point researchers have linked recent attacks to a sophisticated operation exploiting a vulnerability in WinRAR (primarily tracked as CVE-2023-38831). This flaw allows attackers to execute arbitrary code on a victim's machine simply by tricking them into opening a seemingly innocuous archive file.

• Vulnerability: CVE-2023-38831 (and related path traversal flaws).
• Affected Products: WinRAR versions prior to 6.23 on Windows.
• Mechanism: The vulnerability lies in how WinRAR processes compressed archives. By manipulating the filename structure within the archive, attackers can disguise a malicious script (e.g., a CMD or BAT file) as a benign file type (like a PNG or JPG). When a user attempts to view the "image" or open the archive in a specific way, WinRAR copies the malicious file to the Startup folder or executes it immediately, leading to remote code execution.
• Severity: High (CVSS score approx 7.8). This is a user-assisted attack but requires low complexity to exploit.
• Patch Status: Vendor (WinRAR) released version 6.23 and later to address this specific flaw in August 2023.

Defensive Monitoring

To detect potential exploitation or identify vulnerable assets within your environment, security teams should implement the following queries.

1. Verify WinRAR Version (PowerShell)

Use this script to scan endpoints for outdated versions of WinRAR. This requires administrative privileges to read the registry or file system of remote hosts.

# Check for vulnerable WinRAR versions (< 6.23)
$winrarPaths = @(
    "${env:ProgramFiles}\WinRAR\WinRAR.exe",
    "${env:ProgramFiles(x86)}\WinRAR\WinRAR.exe"
)

foreach ($path in $winrarPaths) {
    if (Test-Path $path) {
        $versionInfo = (Get-Item $path).VersionInfo
        $fileVersion = [version]$versionInfo.FileVersion
        Write-Host "Found WinRAR at: $path"
        Write-Host "Current Version: $fileVersion"
        
        # Version 6.23 is the patch for CVE-2023-38831
        if ($fileVersion -lt [version]"6.23.0") {
            Write-Host "[ALERT] Vulnerable version detected!" -ForegroundColor Red
        } else {
            Write-Host "[OK] Version is patched." -ForegroundColor Green
        }
    }
}

2. Detection of Suspicious WinRAR Child Processes (KQL)

Attackers exploiting this vulnerability often spawn command-line interpreters (cmd.exe or powershell.exe) from the WinRAR process context. This KQL query for Microsoft Sentinel or Defender 365 helps identify this anomalous behavior.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "WinRAR.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FileName
| order by Timestamp desc

3. Hunt for Script Execution from Startup Folders (KQL)

Because the specific WinRAR exploit often attempts to drop payloads into the Windows Startup folder to achieve persistence, detecting script creations in these directories is crucial.

DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath contains "\\Start Menu\\Programs\\Startup"
| where FileName endswith ".cmd" or FileName endswith ".bat" or FileName endswith ".vbs" or FileName endswith ".ps1"
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FileName, FolderPath
| order by Timestamp desc

Remediation

To protect your organization against the Amamarth-Dragon campaign and similar WinRAR-based attacks, implement the following remediation steps immediately:

1. Patch Immediately: Update all instances of WinRAR to the latest version (6.24 or later). Ensure your software deployment tools (SCCM, Intune) are pushing the update, as WinRAR does not always auto-update silently in the background.

2. Application Allowlisting: If WinRAR is not business-critical for all users, consider blocking execution via Application Control (AppLocker) or Windows Defender Application Control (WDAC) for standard users who do not require archiving tools.

3. User Awareness: Brief your security operations team and end-users about the risks of downloading archived files (ZIP, RAR) from untrusted sources, especially via email. Remind users that double-clicking files inside an archive can be dangerous if the software is outdated.

4. Email Gateway Filtering: Configure secure email gateways to sandbox archive files. Ensure that archives containing nested scripts or double-file extensions are blocked or detonated in a sandbox environment before delivery.

5. Audit for Persistence: Use the KQL queries above to audit your environment for any scripts currently residing in Startup folders that may have been dropped by a prior successful exploit.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub