Threat actors are targeting users in online cryptocurrency trading forums via a now-patched bug in the popular WinRAR file compression and archiving utility.
The vulnerability tracked as CVE-2023-38831 allowed the attackers to hide malicious code in zip archives masquerading as “.jpg,” “.txt,” and other file formats, and then distribute them in online cryptocurrency trading forums.
The attacks have been going on since at least April, and a beta patch was issued on July 20 and an updated version of WinRAR (version 6.23) on Aug. 2. Security experts urged WinRAR users, currently estimated at 500 million, to install the new version immediately to mitigate their exposure to attacks targeting the vulnerability.
Researchers discovered the zero-day vulnerability in WinRAR while they investigated the threat activity related to DarkMe RAT and attributed to Evilnum. The malware packs a variety of functions for spying on targets or for use as a loader for other malware.
The vulnerability stemmed from how WinRAR processes the zip file format. It essentially gave attackers a way to conceal various types of malware tools in zip archives and distribute them to target systems. Group-IB researchers observed the threat actor deliver at least three malware families this way: DarkMe, GuLoader, and Remcos RAT.
The threat actor then distributed the weaponized zip archives on at least eight public forums that online traders use regularly to share information and discuss topics of mutual interest.
The adversary attached the malware-loaded zip archive to a forum post or in private messages to other forum members. The topic of the posts tended to be something that would grab the attention of a forum member. Researchers say it also observed that the threat actor gain access to forum accounts and insert their malware in existing discussion threads.
The attacker also distributed the zip archives via a free file storage service called catbox.moe. Once installed on the system, the malware gained access to the trading accounts of the victim and executed unauthorized transactions to withdraw funds from it.
Occasionaly forum administrators became aware of malicious files being distributed via their sites and attempted to warn members about the threat. Despite these warnings, the threat actor continued to make posts on the forum with malicious attachments.
Even with these strong artifacts, Group-IB itself has not been able to attribute the WinRAR attacks definitively to the threat group.