In a cunning and concerning revelation, hackers have successfully exploited a zero-day flaw in the widely-used WinRAR archiving tool. This attack, primarily targeting online traders, has become a vehicle for unauthorized financial transactions and potential theft.
The WinRAR Vulnerability: A Closer Look
Cybersecurity research firm Group-IB unearthed a zero-day bug in WinRAR’s ZIP file processing, which was exploited as early as April. This flaw, now tracked as CVE-2023-38831, permits hackers to conceal malicious scripts in files, masquerading as innocent “.jpg” or “.txt” formats.
How the Exploit Works
The criminals have been using this vulnerability to disperse infected ZIP files across various trading forums. According to Group-IB, at least eight such forums related to trading, investment, and cryptocurrency have been targeted.
Targeted Attack on Traders
Once these disguised files are opened, the hackers gain control over the victims’ trading accounts. They have then been attempting to conduct unauthorized financial transactions and withdrawals. Group-IB’s investigations revealed that a minimum of 130 devices had been infected.
The Response and Countermeasures
Forum administrators, upon discovering the malicious activity, issued warnings and blocked the attackers’ accounts. However, the hackers continued to spread the malicious files. WinRAR has since released an update (version 6.23) on August 2nd to patch the issue.
Connection to the “Evilnum” Threat Group
While the hackers leveraged the DarkMe trojan, previously associated with “Evilnum,” a definitive link to this financially driven group has not been established.
This sophisticated attack showcases the vulnerability of even established software and emphasizes the importance of timely updates and awareness. Users are strongly urged to update their WinRAR to the latest version to avoid potential security risks.