A zero-day vulnerability in WinRAR’s processing of ZIP files has been exploited by hackers to steal funds from broker accounts. This flaw allows hackers to hide malicious scripts in archive files and gain access to users’ computers.
Description
Cybersecurity company Group-IB discovered this vulnerability, which has been exploited by hackers spreading weaponized ZIP archives on specialized trading forums since April. These hackers pose as benign files, and when users extract and execute them [10], malware is activated [3] [10], enabling unauthorized withdrawals from broker accounts [10]. At least 130 traders’ devices have been infected [6] [9], but the financial losses resulting from this campaign are unknown [3].
The DarkMe trojan [1] [6] [7] [10], associated with the EvilNum threat group [10], has been used in these attacks. The vulnerability specifically targets traders on specialized forums, where hackers pose as enthusiasts sharing trading strategies and post links to specially crafted WinRAR archives [3] [8]. These archives appear to contain trading strategies but actually contain malware [3]. The malicious archives have been distributed on at least eight public trading forums [3].
The exploit allows threat actors to create malicious .RAR and .ZIP archives that contain innocuous files like JPG images [3], text files [3] [4] [7], and PDF documents [3]. When a user opens one of these files [3], a script is executed that installs malware on the device [3]. The malware strains associated with this campaign include DarkMe [3], GuLoader [2] [3] [8] [11], and Remcos RAT [2] [3] [8] [11], which provide remote access and control over infected devices [3]. The identity of the individuals leveraging the CVE-2023-38831 vulnerability in this campaign is unclear, but the financially motivated EvilNum group has been associated with the DarkMe malware [3].
Group-IB promptly informed WinRAR’s parent company [10], RARLAB [10], about the vulnerability [2] [3] [4] [5] [6] [7] [8] [9] [11], leading to the release of a patched version of WinRAR (6.23) to address the issue. Users are advised to update to this version to protect against potential exploits [10]. In addition to updating their software, Group-IB advises users to exercise caution with attachments from unknown sources, implement strong security practices like using password managers [2], and enable two-factor authentication (2FA) to further enhance their security measures.
Conclusion
The exploitation of the zero-day vulnerability in WinRAR’s processing of ZIP files has had significant impacts, with at least 130 traders’ devices infected and funds stolen from broker accounts. The DarkMe trojan [1] [6] [7] [10], associated with the EvilNum threat group [10], has been used in these attacks. While the identity of the individuals behind this campaign is unclear, the financially motivated EvilNum group has been associated with the DarkMe malware [3]. Group-IB’s prompt discovery and notification of the vulnerability led to the release of a patched version of WinRAR to address the issue. Users are strongly advised to update their software and implement additional security measures to protect against potential exploits.
References
[1] https://www.darkreading.com/attacks-breaches/threat-actor-exploits-zero-day-in-winrar-to-target-crypto-accounts
[2] https://www.infosecurity-magazine.com/news/winrar-flaw-affects-traders/
[3] https://www.redpacketsecurity.com/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
[4] https://www.neowin.net/news/winrar-flaw-lets-hackers-steal-funds-from-broker-accounts/
[5] https://isp.page/news/hackers-exploit-winrar-zero-day-bug-to-steal-funds-from-broker-accounts/
[6] https://techcrunch.com/2023/08/23/winrar-zero-day-funds-brokers/
[7] https://nsaneforums.com/news/security-privacy-news/hackers-exploit-winrar-zero-day-bug-to-steal-funds-from-broker-accounts-r18079/
[8] https://cyber.vumetric.com/security-news/2023/08/23/winrar-zero-day-exploited-since-april-to-hack-trading-accounts/
[9] https://cryptorank.io/news/feed/29038-winrar-zero-day-funds-brokers
[10] https://securityonline.info/hackers-exploit-cve-2023-38831-zero-day-vulnerability-in-winrar/
[11] https://vulnera.com/newswire/exploitation-of-winrar-zero-day-vulnerability-to-breach-cryptocurrency-trading-accounts/
