WinRAR security breach: Zero-Day exploit targets traders, fixed in latest patch

Since April 2023, WinRAR suffered a security breach due to a zero-day exploit (CVE-2023-38831) that allowed attackers to disguise file extensions and launch harmful scripts from seemingly harmless image or text file archives. The issue was fixed in the WinRAR 6.23 version, which was released on August 2, 2023, along with another patch (CVE-2023-40477).

The cyber-attacks, discovered by Group-IB in July 2023, involved cybercriminals using specially crafted ZIP or RAR archive files spread through trading-related forums such as Forex Station. The attackers used malware, including DarkMe, GuLoader, and Remcos RAT, to target traders' devices and drain funds from broker accounts.

The campaign compromised around 130 traders' devices. The total number of victims and the extent of financial losses remain unclear. The attackers used malicious archive files containing an image file and a similarly named folder to deceive victims. When the image was clicked, a batch script from the folder was activated, triggering an SFX CAB archive to extract and launch additional files while displaying the decoy image to avoid detection. The exploit was tied to a processing error when opening files in ZIP archives. The weaponized ZIP archives were spread on at least eight popular trading forums worldwide. The identity of the attackers exploiting CVE-2023-38831 is still unknown, but the DarkMe trojan is linked to the EvilNum group, known for a phishing campaign targeting European online gambling and trading services.

What actions are recommended? Well, it's strongly advised that WinRAR users promptly update to the most recent release 6.23 from August 2, in order to mitigate the potential for file spoofing and other recently revealed vulnerabilities.