Cybersecurity researchers have exposed a zero-day vulnerability (CVE-2023-38831) in the popular WinRAR compression tool, which cyber-criminals have exploited to target traders on specialized forums.
The exploit allows threat actors to craft ZIP archives that contain malicious payloads, posing a significant risk to traders’ financial assets.
The Group-IB Threat Intelligence unit, while investigating the distribution of DarkMe malware in July 2023, stumbled upon the previously unknown vulnerability in WinRAR’s processing of the ZIP file format.
According to an advisory published by Andrey Polovinkin, a malware analyst at Group-IB earlier today, cyber-criminals have been using this vulnerability since April 2023 to create ZIP archives containing malware families including DarkMe, GuLoader and Remcos RAT.
Upon discovering this security flaw, Group-IB promptly notified RARLAB, the developers of WinRAR, about the issue. The company collaborated with the researchers and swiftly released a patch to address the vulnerability. MITRE Corporation assigned the vulnerability the marker CVE-2023-38831 on August 15 2023.
The exploit involves tricking users into opening seemingly harmless files, which then launch malicious scripts. Cyber-criminals are leveraging a tactic in which they spoof file extensions to hide the execution of malicious code within files that appear to be images or text documents. Group-IB explained that these malicious archives were posted on various trading forums, infecting at least 130 devices at the time of reporting.
Once infected, the malware provides threat actors unauthorized access to victims’ brokerage accounts, enabling them to withdraw funds. The financial losses incurred due to this vulnerability are still under investigation. Notably, the same vulnerability was reportedly used in the DarkCasino campaign previously described by NSFOCUS researchers.
Group-IB urged users to keep their software updated, exercise caution when dealing with attachments from unknown sources and implement robust security practices such as using password managers and enabling two-factor authentication (2FA).