WinRAR Zero-Day Exploited by Hackers to Steal Funds from Traders

Group-IB has no insight into the number of financial losses suffered.

Cybercriminals have been exploiting zero-day vulnerability in the WinRAR archiving tool to steal funds from traders. The vulnerability had been discovered by Group-IB in June 2020 and continued to affect the processing of the ZIP file format by WinRAR. Hackers have exploited the zero-day flaw since April to distribute malicious ZIP archives on eight different trading forums. These archives were disguised as ".jpg" or ".txt" files to compromise targeted computers. Once infiltrated, the malware-laced ZIP archives provided the hackers with access to victims’ brokerage accounts and the ability to perform illegal financial transactions and withdraw funds. At least 130 traders’ devices are known to be affected at present. Group-IB has no insight into the number of financial losses suffered. A new version of WinRAR (version 6.23) was released on August 2 to fix the vulnerability.

 The identity of those behind the exploitation of the WinRAR zero-day vulnerability is unknown. However, the hackers used the DarkMe Visual Basic Trojan, which is associated with the financially motivated Evilnum threat group that targets financial organizations and online trading platforms. The cybersecurity firm reported the vulnerability, known as CVE-2023-38831, to WinRAR creator Rarlab. The company released a patched version, WinRAR version 6.23, on August 2. This exploit highlights the importance of promptly updating software, as failing to do so can leave systems open to attacks that can cause significant damage or financial loss.