Traders are falling victim to cybercriminals who are leveraging a zero-day vulnerability in WinRAR, the long-standing shareware archiving tool for Windows, in order to pilfer funds.
In June, the cybersecurity company Group-IB made a remarkable discovery – a vulnerability that impacts how WinRAR handles the ZIP file format. Hackers are able to exploit a zero-day flaw, which means the vendor has no time to fix it before it is exploited. This flaw enables them to conceal harmful scripts within archive files disguised as .jpg images or .txt files. Consequently, they can easily compromise their target machines.
According to Group-IB, hackers have been taking advantage of this vulnerability since April in order to disseminate harmful ZIP archives on exclusive trading forums. Group-IB told malicious ZIP archives were posted on at least eight public forums. These forums discuss various topics related to trading, investment, and cryptocurrency. Group-IB declined to name the targeted forums.
The administrators of one of the targeted forums detected the presence of malicious files being shared and promptly issued a warning to their users. In addition to blocking the accounts used by the attackers, the forum also implemented measures to prevent their activities. However, Group-IB discovered evidence indicating that the hackers possessed the ability to bypass the account restrictions imposed by forum administrators. Consequently, they continued distributing malicious files by posting them in threads or sending them via private messages.
Hackers can gain access to brokerage accounts by tricking users into opening malware-infected files. This allows them to perform illegal financial transactions and withdraw funds. At the moment, the cybersecurity company informs that around 130 traders have infected devices. However, they mention that they do not have any information regarding financial losses at this point.
One victim told Group-IB researchers that the hackers attempted to withdraw their money, but were unsuccessful.
The mastermind behind the exploitation of the WinRAR zero-day remains a mystery. Group-IB, however, reported that it has detected the hackers utilizing DarkMe, a Visual Basic trojan associated with the notorious “Evilnum” threat group.
Evilnum, also referred to as “TA4563,” is a highly motivated threat group focused on financial gain, demonstrating significant activity within the United Kingdom. There has been evidence of this happening in Europe since at least 2018. The group has gained recognition for primarily focusing on financial organizations and online trading platforms. Group-IB stated that although they have identified the DarkMe trojan, they cannot definitively establish a direct connection between the detected campaign and this financially motivated group.
According to Group-IB, they have successfully reported the vulnerability, known as CVE-2023-38831, to Rarlab, the creators of WinRAR. On August 2nd, a new and improved WinRAR version (6.23) was released to fix the issue.