The developers of WinRAR, a widely used file compression software, have addressed a zero-day vulnerability that hackers were exploiting to install malware on unsuspecting users' computers. This exploit allowed cybercriminals to gain unauthorized access to victims' cryptoc urrency and stock trading accounts.
Singapore-based cybersecurity firm Group-IB reported the zero-day vulnerability on August 23. This vulnerability, known as CVE-2023-38831, had been exploited for approximately four months. It enabled hackers to deploy malware when recipients interact ed with files within the compromised archive. The malware then provided a backdoor for attackers to compromise online trading accounts related to cryptocurrencies and stocks.
The method of exploitation involved crafting malicious RAR and ZIP archive files containing seemingly harmless content like JPG images or PDF documents. These compromised archives were distributed on forums targeted at cryptocurrency traders, often masquerading as guides for trading strategies. Once the victim extracted and executed the content, the malware was activated, giving attackers unauthorized access to brokerage accounts. This exploitation has been ongoing since April 2023.
The cybersecurity report indicated that the malicious configuration file reached at least eight publicly accessible forums, leading to infections on around 130 devices. However, the extent of financial losses suffered by victims remains unclear. The executed script initiated a self-extracting archive that introduced various Malware strains like DarkMe, GuLoader, and Remcos RAT to the compromised systems. These malware strains granted attackers remote control over the infected devices.
RARLABS, the developers of WinRAR, were promptly informed of the vulnerability, and they addressed it in version 6.23, which was released on August 2. This action aimed to mitigate further exploitation of the vulnerability. In a related context, BlackBerry, a major smartphone company, discovered several malware families actively attempting to hijack computers for cryptocurrency mining or theft. Additionally, a newly detected remote access tool named HVNC (Hidden Virtual Network Computer) was identified, allowing hackers to compromise Apple' s operating system. This tool was found to be available for purchase on the dark web.
