In a disconcerting revelation, cybersecurity firm Group-IB has unearthed a brazen cybercrime tactic involving the exploitation of a zero-day vulnerability within the popular archiving software, WinRAR. These audacious attacks are specifically engineered to target traders, with the aim of illicitly siphoning off their funds.

The WinRAR Vulnerability Unveiled

The vulnerability, first detected in June, pertains to how WinRAR handles ZIP file formats. A “zero-day” vulnerability denotes an unpatched security flaw that cybercriminals can exploit before the software vendor has had a chance to rectify it.

Exploiting this loophole, cunning hackers implant malicious scripts into archive files masquerading as common formats, like “.jpg” or “.txt”. This astute camouflage enables them to slip past victims’ defences and wreak havoc undetected.

Widespread Exploitation via Trading Forums

According to Group-IB, hackers began exploiting this vulnerability as early as April, distributing their nefarious ZIP archives on specific trading forums. At least eight forums, dedicated to trading, investment, and cryptocurrency-related discussions, have reportedly witnessed the posting of these malicious files. For security reasons, Group-IB has refrained from disclosing the names of these targeted forums.

Can Forums Counter these Cyberattacks?

In an effort to combat this menace, some forum administrators have issued warnings to their users upon learning about these malicious entities. However, this is not a foolproof solution. Group-IB discovered that hackers could regain access to disabled accounts, enabling them to continue their malicious activities through forum threads or private messages.

Upon opening one of these virus-laden files, the attackers gain access to victims’ brokerage accounts, where they execute unauthorized financial transactions, posing a grave threat to financial security.

Count of Victims and Financial Losses

At present, Group-IB reports that more than 130 traders have fallen victim to these attacks. However, it remains unclear how substantial the financial losses have been or whether any successful withdrawals were made.

The Culprits Behind the Exploitation

While the identities of the hackers remain elusive, Group-IB noted the use of the DarkMe trojan, a malware strain previously associated with the “Evilnum” threat group. This group has a track record of targeting financial institutions and online trading platforms across the UK and Europe. Nevertheless, confirming whether this specific group is responsible for the ongoing attack remains inconclusive.

Group-IB’s Alert and WinRAR Response

Group-IB promptly alerted Rarlab, the developer of WinRAR, about the vulnerability, designated as CVE-2023-38831. Rarlab responded by releasing an updated WinRAR version (6.23) on August 2, designed to patch the issue.

This discovery serves as a stark reminder of the ever-present cybersecurity threats that continue to evolve and target unsuspecting victims. Traders and forum users are urged to exercise utmost caution when handling archive files and to keep their software and systems up to date to minimize such risks.

Stay updated with TechInsight on tech and AI’s latest news.