Cybercriminals are exploiting a zero-day vulnerability in WinRAR, the venerable shareware archiving tool for Windows, to target traders and steal funds.
Cybersecurity company Group-IB discovered the vulnerability, which affects the processing of the ZIP file format by WinRAR, in June. The zero-day flaw — meaning the vendor had no time, or zero days, to fix it before it was exploited — allows hackers to hide malicious scripts in archive files masquerading as “.jpg” images or “.txt” files, for example, to compromise target machines.
Group-IB says hackers have been exploiting this vulnerability since April to spread malicious ZIP archives on specialist trading forums. Group-IB tells TechCrunch that malicious ZIP archives were posted on at least eight public forums, which “cover a wide range of trading, investment, and cryptocurrency-related subjects.” Group-IB declined to name the targeted forums.
In the case of one of the targeted forums, administrators became aware that malicious files were shared and subsequently issued a warning to their users. The forum also took steps to block the accounts used by the attackers, but Group-IB saw evidence that the hackers were “able to unlock accounts that were disabled by forum administrators to continue spreading malicious files, whether by posting in threads or private messages.”
Once a targeted forum user opens the malware-laced file, the hackers gain access to their victims’ brokerage accounts, enabling them to perform illicit financial transactions and withdraw funds, according to Group-IB. The cybersecurity firm tells TechCrunch that the devices of at least 130 traders are infected at the time of writing but notes that it has “no insight on financial losses at this stage.”
One victim told Group-IB researchers that the hackers attempted to withdraw their money, but were unsuccessful.
It’s not known who is behind the exploitation of the WinRAR zero-day. However, Group-IB said it observed the hackers using DarkMe, a VisualBasic trojan that has previously been linked to the “Evilnum” threat group.
Evilnum, also known as “TA4563”, is a financially motivated threat group that has been active in the U.K. and Europe since at least 2018. The group is known for targeting mainly financial organizations and online trading platforms. Group-IB said that while identifying the DarkMe trojan, it “cannot conclusively link the identified campaign to this financially motivated group.”
Group-IB says it reported the vulnerability, tracked as CVE-2023-38831, to WinRAR-maker Rarlab. An updated version of WinRAR (version 6.23) to patch the issue was released on August 2.
28 years later, Windows finally supports RAR files
Go to Source
- Apple cancels its car, Google’s AI goes awry and Bumble stumbles
- Want an AMD RX 7000 GPU? Asus is offering cashback on RDNA 3 graphics cards in some countries
- VC Trae Stephens says he has a bunker (and much more) in talk about Founders Fund and Anduril
- Film cameras are back – and Pentax’s new compact could soon suck you into the analog revival
- Elon Musk sues OpenAI and Sam Altman over ‘betrayal’ of non-profit AI mission
At TechRookies.com will strive to help turn Tech Rookies into Pros!
Want more articles click Here!
Deals on Homepage!
Subscribe to our newsletters. Here! On the homepage
Tech Rookies Music Here!
Disclaimer: I get commissions for purchases made through links in this post at no charge to you and thanks for supporting Tech Rookies.
Disclosure: Links contain affiliates. When you buy through one of our links we will receive a commission. This is at no cost to you. Thank you for supporting Teachrookies.com
Disclaimer: This article is for information purposes and should not be considered professional investment advice. It contains some forward-looking statements that should not be taken as indicators of future performance. Every investor has a different risk profile and goals. All investments have risks. Always do your own research or hire an expert before investing and trading.