APT-C-08 Exploits WinRAR Vulnerability to Target South Asian Government Entities
The advanced persistent threat group APT-C-08, also known as Manlinghua or BITTER, has initiated a sophisticated cyber campaign targeting government organizations across South Asia. This operation exploits a critical directory traversal vulnerability in WinRAR, identified as CVE-2025-6218, which affects versions 7.11 and earlier. This flaw enables attackers to breach file system boundaries and execute malicious code on compromised systems.
Background on APT-C-08
APT-C-08 has a history of targeting South Asian governments, focusing on extracting sensitive information from government agencies, military-industrial complexes, overseas institutions, and universities. The group is known for its proficiency in crafting socially engineered payloads designed to bypass security measures and exploit human vulnerabilities.
Exploitation of WinRAR Vulnerability
In this latest campaign, APT-C-08 leverages CVE-2025-6218, a directory traversal vulnerability in WinRAR. This flaw allows attackers to manipulate file paths within specially crafted archive files, enabling them to place malicious files in unintended locations on the victim’s system. By exploiting this vulnerability, the group can execute arbitrary code, leading to potential system compromise.
Attack Methodology
The attack begins with the distribution of weaponized RAR archives containing deceptively named files, such as Provision of Information for Sectoral for AJK.rar. These archives exploit the WinRAR vulnerability by using specially crafted file paths that include spaces after directory traversal sequences, effectively bypassing WinRAR’s path normalization processes.
Upon extraction, the exploit deposits a malicious Normal.dotm macro file into the Windows template directory at C:\Users\[username]\AppData\Roaming\Microsoft\Templates. This placement ensures persistence, as Microsoft Word automatically loads templates from this directory.
Infection Mechanism and Code Execution
When the victim opens any Word document, the malicious Normal.dotm file executes embedded VBA macros. These macros perform the following actions:
1. Network Mapping: The macro uses the net use command to map remote directories to the local machine, establishing a connection to the attacker’s server.
2. Payload Execution: The macro then launches a file named winnsc.exe from the remote server, initiating the execution of malicious code on the victim’s system.
This two-stage infection process ensures that the initial document opening triggers the infection without raising immediate suspicion, allowing the attackers to maintain stealth while establishing persistent remote access.
Implications and Recommendations
The exploitation of CVE-2025-6218 by APT-C-08 underscores the critical need for organizations to maintain up-to-date software and implement robust security measures. WinRAR’s inconsistent update mechanisms across enterprise environments make it challenging to ensure all installations are patched promptly.
To mitigate the risk posed by this vulnerability, organizations should:
– Update WinRAR: Ensure that all instances of WinRAR are updated to the latest version that addresses CVE-2025-6218.
– Restrict Macro Execution: Implement application allowlisting to restrict the execution of macros in Microsoft Office templates, reducing the risk of malicious code execution.
– Monitor Network Activity: Establish monitoring mechanisms to detect suspicious network mapping activities and macro-based indicators of compromise.
– Enhance User Awareness: Conduct regular training sessions to educate users about the risks associated with opening files from untrusted sources and the importance of cybersecurity hygiene.
By taking these proactive steps, organizations can strengthen their defenses against sophisticated threats like those posed by APT-C-08 and protect sensitive information from unauthorized access.
