Cybercriminals Exploit WinRAR Zero-Day to Target Traders: A Closer Look

In a recent cyber attack, a financially motivated cybercrime group targeted traders by exploiting a zero-day vulnerability in the popular file archiving utility WinRAR. According to cybersecurity firm Group-IB, the vulnerability, named CVE-2023-38831, was quickly patched by WinRAR developers, but evidence suggests that threat actors have been exploiting this flaw since April 2023. The attacks were discovered by Group-IB researchers, who noticed a malicious campaign on July 10 that involved the exploitation of this zero-day vulnerability.

The vulnerability in WinRAR is related to how the software processes ZIP files and allows attackers to execute malicious code by tricking users into opening a specially crafted archive. The cybercriminals disguised the malicious archive as harmless .txt or .jpg files, increasing the likelihood of successful exploitation. The malware delivered through these archives included GuLoader, Remcos RAT, and DarkMe.

The cybercriminals targeted traders by posting these malicious archives on popular trading forums, aiming to get users to install the malware on their systems. Group-IB stated that it is unclear how many people had their systems infected, but they were aware of 130 infected devices at the time of their disclosure. The attackers gained access to the victims’ broker accounts on infected systems and attempted unauthorized transactions and fund withdrawals. Although it is unclear how much money was stolen, Group-IB noted that the cybercriminals caused very small losses, such as $2. Group-IB believes there is a connection between opening the malicious archive and the unauthorized account access, though they do not have conclusive evidence.

Group-IB researchers identified DarkMe as one of the malware delivered in this campaign, which was previously observed in an operation known as DarkCasino. DarkCasino has been linked to a threat group called Evilnum, which has a history of targeting financial technology companies in Europe. However, Group-IB noted that they cannot conclusively link this campaign to Evilnum, and it is possible that similar tools from the same developer can be found on underground forums.

This attack comes shortly after the disclosure of another WinRAR vulnerability, CVE-2023-40477, which can also be exploited to execute arbitrary code by tricking users into opening a specially crafted file. While WinRAR is a widely used software, instances of exploited vulnerabilities are relatively rare.

The cyber attack on traders highlights the ongoing risk of cybercrime and the potential for exploitation of software vulnerabilities. Traders and individuals should remain vigilant when it comes to opening files or archives from unfamiliar or untrusted sources, as even seemingly harmless files can be malicious. It is essential to keep software and operating systems up to date with the latest security patches and to be cautious of suspicious links or attachments in emails and messages.

In the broader context, this incident raises questions about the responsibility of software developers in addressing vulnerabilities promptly and effectively. Zero-day vulnerabilities can pose significant risks to individuals and organizations, and software developers must prioritize the security of their products. Promptly releasing security patches and updates, as WinRAR did in response to CVE-2023-38831, is crucial in mitigating the potential damage caused by such vulnerabilities.

It is also worth considering the larger implications of cybercrime and the need for global cooperation in combating this issue. Cybercrime is a borderless crime that requires international collaboration to effectively address and prevent future attacks. Governments, law enforcement agencies, and cybersecurity firms need to work together to share information, intelligence, and best practices to stay ahead of cybercriminals.

In conclusion, the cyber attack targeting traders by exploiting the WinRAR zero-day vulnerability serves as a reminder of the ongoing threat posed by cybercrime. Traders and individuals must remain vigilant and take necessary precautions to protect themselves from such attacks. Software developers also play a crucial role in addressing vulnerabilities promptly, ensuring the security of their products, and mitigating the risks posed by cybercriminals. International cooperation is essential in the fight against cybercrime, as it is a global problem that requires collective efforts to combat effectively.