Cybercriminals are exploiting a zero-day vulnerability in WinRAR, the venerable shareware archiving software for Home windows, to focus on merchants and steal funds.
Cybersecurity firm Group-IB found the vulnerability, which impacts the processing of the ZIP file format by WinRAR, in June. The zero-day flaw — which means the seller had no time, or zero days, to repair it earlier than it was exploited — permits hackers to cover malicious scripts in archive recordsdata masquerading as “.jpg” photos or “.txt” recordsdata, for instance, to compromise goal machines.
Group-IB says hackers have been exploiting this vulnerability since April to unfold malicious ZIP archives on specialist buying and selling boards. Group-IB tells TechCrunch that malicious ZIP archives had been posted on a minimum of eight public boards, which “cowl a variety of buying and selling, funding, and cryptocurrency-related topics.” Group-IB declined to call the focused boards.
Within the case of one of many focused boards, directors turned conscious that malicious recordsdata had been shared and subsequently issued a warning to their customers. The discussion board additionally took steps to dam the accounts utilized by the attackers, however Group-IB noticed proof that the hackers had been “capable of unlock accounts that had been disabled by discussion board directors to proceed spreading malicious recordsdata, whether or not by posting in threads or personal messages.”
As soon as a focused discussion board person opens the malware-laced file, the hackers acquire entry to their victims’ brokerage accounts, enabling them to carry out illicit monetary transactions and withdraw funds, based on Group-IB. The cybersecurity agency tells TechCrunch that the units of a minimum of 130 merchants are contaminated on the time of writing however notes that it has “no perception on monetary losses at this stage.”
One sufferer informed Group-IB researchers that the hackers tried to withdraw their cash, however had been unsuccessful.
It’s not identified who’s behind the exploitation of the WinRAR zero-day. Nevertheless, Group-IB stated it noticed the hackers utilizing DarkMe, a VisualBasic trojan that has beforehand been linked to the “Evilnum” risk group.
Evilnum, also referred to as “TA4563”, is a financially motivated risk group that has been lively within the U.Ok. and Europe since a minimum of 2018. The group is understood for focusing on primarily monetary organizations and on-line buying and selling platforms. Group-IB stated that whereas figuring out the DarkMe trojan, it “can not conclusively hyperlink the recognized marketing campaign to this financially motivated group.”
Group-IB says it reported the vulnerability, tracked as CVE-2023-38831, to WinRAR-maker Rarlab. An up to date model of WinRAR (model 6.23) to patch the problem was launched on August 2.