WinRAR, a popular file archiver tool for Windows used by millions of people worldwide, has been found to have a vulnerability that allows hackers to steal funds from traders.
Cybersecurity company Group-IB tells TechCrunch about a zero-day vulnerability in WinRAR, which affects the processing of the ZIP file format by the archiving tool. For the unaware, a zero-day vulnerability is a flaw in a system or device that has been disclosed but is yet to be patched.
The vulnerability apparently lets hackers hide malicious scripts in archive files that appear to be harmless, such as JPEG images or text files.
Once a targeted user opens the malicious file, the hackers can gain access to their computer and steal their personal information, including financial account credentials. In the case of traders, this allows hackers to make unauthorized trades or withdraw funds from their victims' accounts.
Devices of at least 130 traders are reported to be infected, however, there seems to be no news about the financial losses yet. Notably, one victim told Group-IB researchers that the hackers attempted to withdraw their money but couldn’t pull it off.
The outlet says hackers have been using this vulnerability since April to spread malicious ZIP archives on specialist trading forums. These harmful ZIP files have appeared on at least eight public forums that discuss various trading, investment, and cryptocurrency topics, according to the source. However, the names of these forums have not been revealed.
The forum also took steps to block the accounts used by the attackers, but Group-IB saw evidence that the hackers were “able to unlock accounts that were disabled by forum administrators to continue spreading malicious files, whether by posting in threads or private messages.”
The identity of the hackers exploiting the WinRAR zero-day vulnerability is unknown. However, cybersecurity firm Group-IB told TechCrunch the hackers are using DarkMe, a VisualBasic trojan that has previously been linked to the "Evilnum" threat group.
The cybersecurity firm is said to have reported the vulnerability, designated CVE-2023-38831, to WinRAR maker Rarlab, which released the fix in WinRAR version 6.23 on August 2nd.