A newly discovered zero-day remote code execution vulnerability in WinRAR has been exploited in the wild to distribute several malware families such as DarkMe, GuLoader, and RemcosRAT. According to Group-IB researchers, the attacks exploiting the flaw have been ongoing since April.
Group-IB researchers came across the attack while monitoring the DarkMe malware activity. Although the malware strain has been associated with the financially motivated Evilnum group, it is unclear who leveraged the WinRAR flaw to install the malware.
About the campaign
Threat actors distributed the weaponized zip archives on at least eight public forums regularly used by online traders. In a few instances, the attackers were also found leveraging a free file storage service called catbox.moe to distribute the zip archives.
- Once installed on a system, the malware gains access to the trading accounts of the victim and executes unauthorized transactions to withdraw funds.
- Administrators of a forum became aware of malicious files and blocked rogue accounts. Despite that, threat actors were able to unblock the accounts and continue spreading malicious files to users via private messages.
- Administrators had also warned users about the ongoing attack attempts.
So far, 130 traders' devices have been found to be infected in the attack.
Diving into the flaw
- The zero-day vulnerability, tracked as CVE-2023-3881, can allow attackers to spoof file extensions.
- This enables them to conceal malicious code in zip archives masquerading as jpg, txt, and other file formats.
- It is triggered via specially crafted archives when victims open the decoy file, causing WinRAR’s ShellExecute function to receive an incorrect parameter.
Final words
It is highly recommended that users upgrade to the latest version (6.23) of WinRAR as soon as possible to eliminate the risk of such attacks. Additionally, organizations must remain vigilant, keep their systems updated, and follow security guidelines to avoid falling victim to these attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f3ab_shutterstock_640377106.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/9509_shutterstock_1339130870.jpg)
