InfoSecBulletin Cybersecurity for mankind
Traders are falling victim to cybercriminals who are leveraging a zero-day vulnerability in WinRAR, the long-standing shareware archiving tool for Windows, in order to pilfer funds.
In June, the cybersecurity company Group-IB made a remarkable discovery – a vulnerability that impacts how WinRAR handles the ZIP file format. Hackers are able to exploit a zero-day flaw, which means the vendor has no time to fix it before it is exploited. This flaw enables them to conceal harmful scripts within archive files disguised as .jpg images or .txt files. Consequently, they can easily compromise their target machines.
FBI investigating cyberattack at Oracle, Bloomberg News reports
OpenAI Offering $100K Bounties for Critical Vulns
Splunk Alert User RCE and Data Leak Vulns
CIRT alert Situational Awareness for Eid Holidays
Cyberattack on Malaysian airports: PM rejected $10 million ransom
Micropatches released for Windows zero-day leaking NTLM hashes
VMware Patches Authentication Bypass Flaw in Windows Tool
IngressNightmare
Over 40% of cloud environments are vulnerable to RCE
(CVE-2025-29927)
Urgently Patch Your Next.js for Authorization Bypass
Oracle refutes breach after hacker claims 6 million data theft
ALSO READ:
Kali Linux 2023.3 released: redesign NetHunter ,9 new tools, and more!
According to Group-IB, hackers have been taking advantage of this vulnerability since April in order to disseminate harmful ZIP archives on exclusive trading forums. Group-IB told malicious ZIP archives were posted on at least eight public forums. These forums discuss various topics related to trading, investment, and cryptocurrency. Group-IB declined to name the targeted forums.
The administrators of one of the targeted forums detected the presence of malicious files being shared and promptly issued a warning to their users. In addition to blocking the accounts used by the attackers, the forum also implemented measures to prevent their activities. However, Group-IB discovered evidence indicating that the hackers possessed the ability to bypass the account restrictions imposed by forum administrators. Consequently, they continued distributing malicious files by posting them in threads or sending them via private messages.
Hackers can gain access to brokerage accounts by tricking users into opening malware-infected files. This allows them to perform illegal financial transactions and withdraw funds. At the moment, the cybersecurity company informs that around 130 traders have infected devices. However, they mention that they do not have any information regarding financial losses at this point.
One victim told Group-IB researchers that the hackers attempted to withdraw their money, but were unsuccessful.
The mastermind behind the exploitation of the WinRAR zero-day remains a mystery. Group-IB, however, reported that it has detected the hackers utilizing DarkMe, a Visual Basic trojan associated with the notorious “Evilnum” threat group.
Evilnum, also referred to as “TA4563,” is a highly motivated threat group focused on financial gain, demonstrating significant activity within the United Kingdom. There has been evidence of this happening in Europe since at least 2018. The group has gained recognition for primarily focusing on financial organizations and online trading platforms. Group-IB stated that although they have identified the DarkMe trojan, they cannot definitively establish a direct connection between the detected campaign and this financially motivated group.
According to Group-IB, they have successfully reported the vulnerability, known as CVE-2023-38831, to Rarlab, the creators of WinRAR. On August 2nd, a new and improved WinRAR version (6.23) was released to fix the issue.
