How to Defend Against the Critical WinRAR Vulnerability Exploited by Amaranth-Dragon

Recent research from Check Point has linked a new wave of hacking activity to the Chinese cyber-espionage group known as Amaranth-Dragon. This campaign is actively exploiting a critical security flaw in WinRAR, a widely popular file compression utility used by millions of organizations and individuals worldwide.

For defenders, the immediate concern is the prevalence of this software. Unlike niche server software, WinRAR is often found on endpoints used by developers, finance teams, and executives. This vulnerability provides attackers with a pathway to achieve Remote Code Execution (RCE), potentially allowing them to bypass security controls and establish persistence within a corporate network.

This post analyzes the technical details of this threat and provides the specific defensive steps, monitoring queries, and remediation actions your security team needs to take now.

Technical Analysis

The core of this issue involves a vulnerability (identified as CVE-2023-38831 in recent related campaigns) in how WinRAR processes compressed archives. The flaw allows attackers to craft a malicious archive that appears to contain a harmless file (e.g., a PDF or image) but actually executes a script or binary when the target attempts to extract or open the file.

Key Technical Details:

• Vulnerability: Path Traversal / Logic Error in archive processing.
• Affected Products: Versions of WinRAR prior to 6.23.
• Severity: High (CVSS scores typically range between 7.8 and 8.8 depending on the specific vector).
• The Threat Vector: Amaranth-Dragon is using this vulnerability to deliver backdoors and malware. By disguising malicious payloads within legitimate-looking archives, they can trick users into initiating the attack chain without needing complex phishing infrastructure.

When a user interacts with the booby-trapped file, the vulnerability is triggered, executing code in the context of the user. If the user has administrative privileges, the attacker gains full control of the endpoint.

Defensive Monitoring

To determine if your organization is vulnerable or if an exploit attempt has occurred, you should immediately scan your environment for outdated WinRAR versions and monitor for suspicious process activity related to archive extraction.

1. PowerShell Script: Check WinRAR Version

Run this script on your endpoints or via your endpoint management tool (e.g., SCCM, Intune) to identify machines running a vulnerable version of WinRAR (older than 6.23).

# Check for vulnerable WinRAR versions (< 6.23)
$WinRARPaths = @("${env:ProgramFiles}\WinRAR\WinRAR.exe", "${env:ProgramFiles(x86)}\WinRAR\WinRAR.exe")
$VulnerableFound = $false

foreach ($Path in $WinRARPaths) {
    if (Test-Path $Path) {
        $FileInfo = Get-Item $Path
        $Version = [Version]$FileInfo.VersionInfo.FileVersion
        Write-Host "Found WinRAR at $Path with version: $Version"
        
        # Versions prior to 6.23 are vulnerable to CVE-2023-38831
        if ($Version -lt [Version]"6.23") {
            Write-Host "[ALERT] Vulnerable WinRAR version detected on $env:COMPUTERNAME" -ForegroundColor Red
            $VulnerableFound = $true
        } else {
            Write-Host "[OK] Version is patched." -ForegroundColor Green
        }
    }
}

if (-not $VulnerableFound) {
    Write-Host "No vulnerable WinRAR installations found."
}

2. KQL Query for Microsoft Sentinel / Defender

Use this KQL query to hunt for suspicious child processes spawned by WinRAR. A common tactic in this exploit is for WinRAR to launch a script (cmd, powershell, or wscript) immediately after a user opens an archive.

DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "WinRAR.exe"
| where ProcessFileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine, FolderPath
| order by Timestamp desc

3. PowerShell: Detect Suspicious WinRAR Child Processes

If you have EDR data exported or are analyzing a live incident response, this logic helps filter for the specific behavior of WinRAR spawning a shell.

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} -ErrorAction SilentlyContinue | 
Where-Object { $_.Message -match 'ParentImage.*WinRAR.exe' -and $_.Message -match 'Image.*(cmd.exe|powershell.exe)' } | 
Select-Object TimeCreated, Id, Message | Format-List

Remediation

Protecting your organization from the Amaranth-Dragon campaign requires immediate patching and configuration hardening.

1. Patch Immediately

The most effective remediation is to update WinRAR to the latest version. The vendor (win.rar GmbH) has released patches (version 6.23 and later) that address this vulnerability.

• Action: Deploy WinRAR version 6.24 (or newer) across all endpoints via your software deployment tools.
• Verification: Use the PowerShell script provided above to verify the update was successful.

2. User Awareness and Policy

Since this vulnerability relies on user interaction (opening a file), technical controls must be paired with user vigilance.

• Guidance: Instruct users to be wary of unexpected compressed archives, especially those received from external sources.
• Sandboxing: Encourage the use of email gateways or sandboxing solutions to detonate attachments before they reach the user's inbox.

3. Application Control (ASR Rules)

If your organization uses Microsoft Defender, consider enabling Attack Surface Reduction (ASR) rules to block Office applications from creating child processes or restrict WinRAR from writing executables to user folders if possible. However, patching remains the primary mitigation.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub