A zero-day vulnerability in the popular archiving tool, WinRAR, has been exploited by hackers to target traders. Cybersecurity experts at Group-IB discovered this flaw, which allows hackers to conceal malicious scripts within innocent-looking archive files. The hackers have specifically targeted specialized trading forums to distribute these malicious files.
The vulnerability in WinRAR centers around the processing of ZIP file formats. Hackers are able to hide their malicious scripts within these files, such as images or text documents, making them appear harmless. Victims unknowingly open these files, providing the hackers with unauthorized access to their brokerage accounts. The specific financial losses incurred by approximately 130 traders who have fallen victim to this scheme are still being calculated.
Group-IB was able to interview a victim who recounted an attempted money withdrawal by the hackers. Fortunately, the attempt was unsuccessful, but the identities of these cybercriminals remain unknown. However, Group-IB has identified the use of a Visual Basic trojan called DarkMe, which has previously been associated with the Evilnum threat group. Evilnum is known for financially motivated activities primarily targeting financial organizations and online trading platforms. While Group-IB recognized the DarkMe trojan, they have not directly linked this campaign to the Evilnum group.
Taking responsible action, Group-IB promptly reported the vulnerability to the makers of WinRAR, Rarlab, and assigned it the CVE-2023-38831 identifier. As a result, an updated version of WinRAR (version 6.23) was released on August 2nd to address this critical security concern.
This isn’t the first time WinRAR has been affected by vulnerabilities. In October 2021, a remote code execution vulnerability was found in WinRAR’s free trial version 5.70. Attackers could execute arbitrary code on vulnerable systems by manipulating a dialogue box. This issue was resolved in WinRAR v. 6.02 released in June 2021.
Furthermore, in March 2019, it was discovered that WinRAR had a code execution vulnerability that lasted for 19 years. Over 100 exploits emerged, targeting users in the USA. Attackers were able to install undetectable malware when users opened ZIP files, affecting all WinRAR versions over the past 19 years. The malware would activate upon system reboot, with only a few antivirus programs capable of detecting it. One exploit even disguised itself as a bootleg Ariana Grande album.
Given these vulnerabilities, it is crucial for WinRAR users to update their software as soon as possible to protect themselves from potential attacks. Group-IB’s discovery of the zero-day vulnerability highlights the ongoing need for vigilance in the face of evolving cyber threats.