Cybercriminals are capitalizing on a zero-day vulnerability within the long-standing WinRAR archiving tool for Windows to launch targeted attacks against traders and pilfer funds.
Discovered by cybersecurity firm Group-IB in June, this flaw allows hackers to embed harmful scripts within ZIP archives disguised as common image or text files, bypassing security measures and compromising victims’ machines. Since April, hackers have leveraged this vulnerability to distribute malicious ZIP archives across specialized trading forums, impacting a broad spectrum of trading, investment, and cryptocurrency topics. While administrators attempted to counter this threat, Group-IB observed hackers sidestepping measures to continue disseminating malware.
Once opened, the rigged archives grant hackers access to victims’ brokerage accounts, enabling them to carry out unauthorized financial transactions and withdraw funds, leading to potential monetary losses. Group-IB reported that approximately 130 traders’ devices have been infected, but the extent of financial damages remains uncertain. A victim shared with researchers that the hackers made unsuccessful attempts to withdraw funds.
The attackers’ identity remains undisclosed, though Group-IB detected the use of the DarkMe Trojan, previously associated with the “Evilnum” threat group known for targeting financial organizations and online trading platforms.
Group-IB notified WinRAR’s developer, Rarlab, about the vulnerability (CVE-2023-38831), prompting the release of WinRAR version 6.23 on August 2 to address the issue. This response aims to thwart the ongoing exploitation and safeguard users against similar threats.
