Cybercriminals have leveraged a zero-day vulnerability in WinRAR, the popular Windows archiving tool, to target financial traders and illicitly siphon funds from their brokerage accounts.
The vulnerability, which affects WinRAR's processing of the ZIP file format, was uncovered by cybersecurity firm Group-IB in June. This zero-day flaw allows attackers to embed malicious scripts in archive files disguised as “.jpg” images or “.txt” files, thereby compromising the targeted systems. To mitigate this risk, WinRAR has released version 6.23, and users are advised to update their software to safeguard against potential exploitation. Older versions of WinRAR put systems at risk as the vulnerability now is publicly known.
Malicious Activity on Trading Forums
Security researchers from Group-IB report that since April, hackers have been disseminating these malicious ZIP archives across specialized trading forums.According to Group-IB such corrupted archives were found on at least eight public forums encompassing topics related to trading, investment, and cryptocurrency. The specific forums targeted have not been disclosed by Group-IB. In one instance, a forum's administrators detected the distribution of these harmful files and promptly alerted their users. Despite efforts to curb this activity by blocking the attackers' accounts, Group-IB observed that the hackers managed to reactivate disabled accounts, persisting in their malicious distribution through both public threads and private messages.
Consequences for Traders
Upon opening these tainted files, hackers can infiltrate the victims' brokerage accounts, facilitating unauthorized financial transactions and fund withdrawals. Group-IB says, as of now, at least 130 traders' devices have been compromised. The exact financial repercussions of these breaches remain uncertain. One trader communicated to Group-IB researchers about an unsuccessful attempt by the hackers to withdraw their funds.
Potential Culprits and Remedial Measures
While the exact identity of the perpetrators exploiting the WinRAR vulnerability remains unknown, Group-IB has noted their use of DarkMe, a VisualBasic trojan. This trojan has previously been associated with the “Evilnum” threat group, also referred to as “TA4563”. Active since 2018, Evilnum primarily targets financial institutions and online trading platforms in the U.K. and Europe. However, Group-IB emphasized that the presence of the DarkMe trojan does not conclusively tie the ongoing campaign to this financially-driven group. In response to this security threat, Rarlab, the creators of WinRAR, released an updated version (6.23) on August 2nd to address the vulnerability.