A financially motivated cybercriminal organization recently used a zero-day vulnerability in the widely used file compression tool WinRAR to launch cyberattacks against traders and brokers, aiming to steal their digital currency.

These cyber adversaries are exploiting a previously unknown flaw in WinRAR, a venerable and trusted software commonly used for file storage on Windows-based systems. This vulnerability allows them to target traders and steal their digital funds. Group-IB, a cybersecurity firm specializing in digital security, made this discovery.

Group-IB discovered this vulnerability in June; it shows how WinRAR handles files in the ZIP format. The cybercriminals cleverly hid malicious scripts within archive files that initially appeared entirely non-suspicious.

The script pretends to be harmless as ".jpg" images or ".txt" documents. The cybercriminals successfully penetrate the victim's device after an unsuspecting user opens one of these seemingly harmless files. Consider this tactic similar to a Trojan horse scenario, in which the attackers sneakily breach the targeted systems with the excuse of innocuous content, effectively compromising the victims' machines.

How Malicious Files are being Spread?

It looks like these cybercriminals are going after traders in particular. Those actively engaged in trading and investing have become the primary target of their evil activities. These cybercriminals are distributing malicious ZIP archives through specialized trading forums.

Their strategy, however, goes beyond these forums; they've also infiltrated public discussion boards covering a wide range of trading topics. From trading strategy discussions to investment insights and cryptocurrency discussions, these forums have unwittingly transformed into platforms for the distribution of malicious files.

When forum administrators became aware of these malicious files, they took immediate action to combat the threat. Users were issued warnings, and the hackers' accounts were blocked in an attempt to prevent their attack. However, these cybercriminals demonstrated persistence. They managed to get around the account bans and continued to spread their malicious files via both forum threads and private messages.

What are the Consequences of WinRAR Exploit?

The consequences for those of you who open these corrupted files can be severe. When the malicious script takes hold, the hackers gain unauthorized access to your brokerage accounts, allowing them to engage in illegal financial activities. This includes carrying out illegal transactions and withdrawing money from your compromised accounts.

This attack had a significant impact, with over 130 traders' devices compromised. The offenders of these attacks have been using a "VisualBasic" trojan known as "DarkMe," which has ties to a group known as "Evilnum." This organization has a track record of targeting financial institutions and online trading platforms.

Evilnum has been active for a long time, with a recent emphasis on financial technology companies primarily based in Europe. The timing and political context of a recent campaign coincided with Russia's invasion of Ukraine, implying that Evilnum may be a hack-for-hire organization.

However, there is more to the story. WinRAR has also patched another vulnerability known as CVE-2023-40477. This vulnerability allowed remote attackers to execute arbitrary commands on a vulnerable system. On June 8, 2023, a researcher named "goodbyeselene" of the Zero Day Initiative discovered it and immediately reported it to Rarlab.

This vulnerability was caused by an issue with how recovery volumes were processed. The flaw resulted from insufficient validation of user-supplied data, which caused a breach in memory access boundaries. This flaw received a severity rating of 7.8(high) on the Common Vulnerability Scoring System (CVSS). It's critical to understand that, despite its apparent low severity, attackers only need to trick a user into opening a compromised archive to exploit this vulnerability.

How to Fix WinRAR Exploit?

The vulnerability, known as CVE-2023-38831, was swiftly addressed by the developers behind WinRAR. They released a beta version on July 20 and followed up with a stable version (6.23) on August 2. This update not only fixes the CVE-2023-38831 vulnerability but also tackles other issues that could potentially threaten your online security. However, evidence suggests threat actors have exploited this vulnerability since at least April 2023.

Whether you are utilizing WinRAR or any other file archiving software, it's crucial to exercise caution when opening RAR files. Always maintain a level of uncertainty when encountering unexpected files, especially those originating from unverified sources. It is important to scan ZIP files through a strong antivirus tool to minimize the threats to your system and business.