Cybercriminals have taken advantage of a zero-day vulnerability in WinRAR, a widely used archiving tool for Windows, to target traders and steal funds from their accounts. The cybersecurity firm Group-IB discovered this vulnerability in June, which affects the processing of ZIP files by WinRAR. The flaw allows hackers to hide malicious scripts within archive files that appear as innocent file types like “.jpg” images or “.txt” documents. This tactic is used to compromise the security of targeted machines.
Since April, hackers have been exploiting this vulnerability to distribute malicious ZIP archives on specialized trading forums. At least eight public forums, covering a range of trading, investment, and cryptocurrency-related subjects, have been affected. Group-IB has observed that once victims on these forums open the malware-infected files, the hackers gain unauthorized access to their brokerage accounts. This unauthorized access enables cybercriminals to engage in illicit financial activities, including fund withdrawals.
Approximately 130 traders’ devices have been infected at the time of writing. However, Group-IB has not yet determined the exact financial losses resulting from these attacks. The cybersecurity company discovered that the attackers used DarkMe, a VisualBasic trojan associated with the “Evilnum” threat group. Evilnum is a financially motivated group that has targeted financial organizations and online trading platforms since 2018.
Group-IB promptly reported the vulnerability, tracked as CVE-2023-38831, to the developers of WinRAR, and an updated version (6.23) was released on August 2 to address this issue. It’s important for users to keep their software updated to protect against such vulnerabilities and to remain vigilant against suspicious files, especially within sensitive environments like trading platforms.
