A zero-day vulnerability in WinRAR, a popular Windows shareware archiving tool, is being used by cybercriminals to steal traders’ funds.
In June, cybersecurity firm Group-IB discovered the WinRAR ZIP file processing vulnerability. Hackers can hide malicious scripts in archive files disguised as “.jpg” images or “.txt” files to compromise target machines using the zero-day flaw, which the vendor had no time to fix before it was exploited.
Since April, Group-IB says hackers have spread malicious ZIP archives on specialist trading forums using this vulnerability. Reports that Group-IB posted malicious ZIP archives on at least eight public forums that “cover a wide range of trading, investment, and cryptocurrency-related subjects.” The targeted forums were not named by Group-IB.
In one targeted forum, administrators discovered malicious files and warned users. The forum blocked the attackers’ accounts, but Group-IB found evidence that they were “able to unlock accounts that were disabled by forum administrators to continue spreading malicious files, whether by posting in threads or private messages.”
After a forum user opens the malware-laced file, the hackers can access their brokerage accounts and make illicit financial transactions and withdraw funds, according to Group-IB. The cybersecurity firm tells that at least 130 traders’ devices are infected but has “no insight on financial losses at this stage.”
One victim told Group-IB researchers that hackers failed to withdraw their money.
Nobody knows who exploited the WinRAR zero-day. However, Group-IB found the hackers using DarkMe, a VisualBasic trojan linked to the “Evilnum” threat group.
Evilnum, also known as “TA4563”, is a financially motivated threat group active in the U.K. and Europe since 2018. The group targets financial institutions and online trading platforms. While identifying the DarkMe trojan, Group-IB “cannot conclusively link the identified campaign to this financially motivated group.”
Group-IB reported CVE-2023-38831 to WinRAR maker Rarlab. August 2 saw the release of WinRAR 6.23, which fixed the issue.