Newly Discovered WinRAR Bug Exploited by Threat Actor Targeting Cryptocurrency Traders
Introduction
A threat actor possibly connected to Russia’s financially motivated Evilnum group has been discovered targeting users in online cryptocurrency trading forums through a recently patched bug in the popular WinRAR file compression and archiving utility. The attackers exploited a bug, known as CVE-2023-38831, which allowed them to hide malicious code in zip archives disguised as various file formats and distribute them on these forums. This campaign has been ongoing since April, despite the bug only being discovered and reported to WinRAR in July by researchers at Group-IB. Group-IB released a report this week revealing that at least 130 systems on cryptocurrency trading forums being used by people to trade cryptocurrency are still infected.
The Vulnerability and Malware Exploited
Researchers at Group-IB discovered this zero-day vulnerability in WinRAR while investigating threat activity related to DarkMe, a remote access Trojan attributed to Evilnum and initially discovered by security vendor NSFocus. DarkMe is a malware equipped with spying functions and can be used as a loader for other malware. Evilnum has been observed deploying DarkMe in attacks targeting online casinos and trading platforms in several countries.
The vulnerability in WinRAR exists in how it processes zip files, enabling attackers to hide different types of malware tools within zip archives and distribute them to target systems. Group-IB researchers observed the threat actor using this exploit to deliver three malware families: DarkMe, GuLoader, and Remcos RAT. The threat actor distributed these weaponized zip archives on various public forums that online traders often use to share information and discuss topics related to cryptocurrency trading.
Attack Tactics
The threat actor used different tactics to lure victims into downloading and executing the malicious zip archives. In many cases, the adversary attached the malware-loaded zip archive to forum posts or sent them via private messages to other forum members. The posts often had intriguing topics designed to capture the attention of forum members, such as offering a personal strategy for trading with bitcoin. Group-IB also noted instances where the attacker gained access to forum accounts to insert their malware into existing discussion threads. Furthermore, the threat actor even used a free file storage service called catbox.moe to distribute the zip archives.
Once the malware was installed on a system, it gained access to the victim’s trading accounts and executed unauthorized transactions to withdraw funds. Notably, forum administrators became aware of the malicious files being distributed through their sites and attempted to warn their members about the threat. However, the threat actor persisted, unblocking disabled accounts to continue spreading malicious files by posting in threads or sending private messages.
Implications and Recommendations
This discovery highlights the constant challenges faced by internet users and the ever-evolving tactics used by threat actors to exploit vulnerabilities. The fact that this campaign has been ongoing for months, even after the vulnerability was reported, emphasizes the importance of promptly updating software applications and implementing security patches.
For WinRAR users, it is essential to install the updated version (6.23) immediately to mitigate exposure to any attacks targeting this specific vulnerability. With an estimated 500 million WinRAR users, the risk is significant and requires swift action to prevent potential financial losses.
Additionally, this incident serves as a reminder of the critical role that cybersecurity plays in protecting our digital lives. Users must exercise caution when downloading files from untrusted sources, especially on public forums or through private messages. It is crucial to verify the credibility and source of any attachments before opening them, particularly files that claim to provide trading strategies or other enticing offers.
For forum administrators, maintaining vigilant monitoring and fostering an environment where members can report suspicious activity is crucial. Promptly responding to reports and taking action against malicious files will help mitigate the impact of attacks. Ongoing education and awareness among forum members about potential threats and safe browsing practices are also essential.
Ultimately, the discovery of this campaign reinforces the need for robust cybersecurity measures, regular software updates, and constant vigilance from both users and developers. The evolving nature of threats requires a proactive approach to protect ourselves and our digital assets in an ever-evolving digital landscape.
<< photo by Lewis Kang’ethe Ngugi >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- WinRAR Users Beware: Patch Now to Prevent Code Execution Bugs
- WinRAR Users Beware: Patch Now to Protect Against Code Execution Bugs
- Exploring the Implications of Thoma Bravo’s Merger of ForgeRock with Ping Identity: A Deep Dive into the Future of Digital Identity Solutions
- The Evolving Face of macOS Malware: Analyzing the Danger of the New XLoader
- The Rise of a Sophisticated Cyber Threat: Unveiling the Hong Kong Supply Chain Cyberattack Takedown
- “HiatusRAT: The Reemergence of a Cyber Threat with Taiwan Firms and U.S. Military in its Crosshairs”
- Unmasking Syrian Threat Actor EVLF: Behind the Creation of CypherRAT and CraxsRAT Android Malware
- The Alarming Increase in Ransomware Attacks: A Glimpse into the Cybersecurity Landscape
- Has the Security in the Boardroom Discussion Reached its Breaking Point?
- The Quest for Web Safety: Chrome Introduces Weekly Security Updates
- “The Art of Political Cartoons: Unleashing the Power of Satire”
