A threat actor believed to have connections to the financially motivated Evilnum group from Russia has been targeting users in online cryptocurrency trading forums using a recently patched bug in the popular WinRAR file compression and archiving utility. The bug, which has been tracked as CVE-2023-38831, allowed the attackers to hide malicious code in zip archives that appeared as other file formats such as “.jpg” and “.txt”. These malicious archives were then distributed on various online cryptocurrency trading forums.
This campaign has been ongoing since April, which is about three months before researchers at Group-IB discovered the vulnerability and reported it to Rarlab, the company behind WinRAR. Rarlab promptly issued a beta patch on July 20 and released an updated version of WinRAR (version 6.23) on August 2. However, despite these efforts, Group-IB revealed in a report that at least 130 systems on cryptocurrency forums remain infected. This prompted the security vendor to urge the estimated 500 million WinRAR users to install the new version immediately to protect themselves from potential attacks exploiting the vulnerability.
The vulnerability in WinRAR was discovered by researchers at Group-IB during their investigation of threat activity related to DarkMe, a remote access Trojan that was initially uncovered by security vendor NSFocus last year and was attributed to the Evilnum group. DarkMe is a versatile malware that can perform various functions such as spying on targets and serving as a loader for other malware. NSFocus observed Evilnum using DarkMe in attacks targeting online casinos and trading platforms across multiple countries.
The vulnerability found by Group-IB is related to how WinRAR processes zip files, which provided an avenue for attackers to conceal different types of malware tools within zip archives and distribute them to their targets. Group-IB researchers noted that the threat actor behind this campaign used this method to deliver at least three different malware families: DarkMe, GuLoader, and Remcos RAT.
To distribute these weaponized zip archives, the threat actor took advantage of various public forums where online traders regularly share information and discuss mutual topics of interest. Most of the time, the adversary attached the malware-loaded zip archives to forum posts or sent them via private messages to other members. The posts themselves were designed to attract the attention of forum members, often offering enticing trading strategies related to bitcoin. The threat actor also gained access to forum accounts and inserted malware into existing discussion threads.
In some instances, the attacker utilized a file storage service called catbox.moe to distribute the zip archives. Once the malware was successfully installed on a system, it would gain access to the victim’s trading accounts and execute unauthorized transactions to withdraw funds.
Despite some forum administrators becoming aware of the malicious files being distributed through their sites and issuing warnings to their members, the threat actor continued to make posts with malicious attachments. Group-IB discovered evidence that the threat actors were even able to unblock accounts that had been disabled by forum administrators to persist in spreading their malware.
While the DarkMe Trojan suggests the involvement of the Evilnum group in this campaign, Group-IB has not definitively attributed the WinRAR attacks to the threat group. However, the modus operandi and the tools used bear similarities to previous activities associated with Evilnum.
In conclusion, a threat actor with possible connections to the Evilnum group has been leveraging a bug in WinRAR to distribute malware in online cryptocurrency trading forums. Despite the patch being released, there are still infected systems on these forums, emphasizing the need for users to update to the latest version of WinRAR to protect themselves. This incident highlights the ongoing challenges in combating financially motivated cybercriminal groups and the importance of maintaining robust security measures to safeguard against such attacks in the cryptocurrency space.