A newly discovered zero-day remote code execution vulnerability in WinRAR has been actively exploited by cybercriminals to distribute multiple malware families, including DarkMe, GuLoader, and RemcosRAT. Security researchers from Group-IB have found evidence of attacks leveraging this flaw since April.
Group-IB researchers first encountered the attack while monitoring the activity of the DarkMe malware, which has previously been associated with the financially motivated Evilnum group. It is unclear at this point who exactly is behind the exploitation of the WinRAR vulnerability to install the malware.
The attackers targeted online traders by distributing weaponized zip archives through at least eight public forums commonly used by traders. In some cases, they also utilized a free file storage service called catbox.moe for distributing the malicious archives.
Once the malware is installed on a victim’s system, it gains access to their trading accounts and proceeds to carry out unauthorized transactions, resulting in fund withdrawals. Forum administrators detected the malicious files and blocked rogue accounts. However, the threat actors managed to unblock the accounts and continue spreading the malware through private messages.
User notifications and warnings about the ongoing attack attempts were issued by the forum administrators. The attack has already infected 130 devices belonging to traders.
The zero-day flaw, identified as CVE-2023-3881, enables attackers to deceive victims by spoofing file extensions. This allows them to hide malicious code in zip archives disguised as jpeg, txt, and other file formats. The vulnerability is triggered when victims open the decoy file, causing WinRAR’s ShellExecute function to receive an incorrect parameter.
To mitigate the risk of such attacks, users are strongly advised to update to the latest version (6.23) of WinRAR as soon as possible. Organizations must also maintain a vigilant approach, regularly update their systems, and adhere to security guidelines to protect themselves from falling victim to these types of attacks.
