reader comments
48 with
A newly discovered zero-day in the widely used WinRAR file-compression program has been exploited for four months by unknown attackers who are using it to install malware when targets open booby-trapped JPGs and other innocuous inside file archives.
The vulnerability, residing in the way WinRAR processes the ZIP file format, has been under active exploit since April in securities trading forums, researchers from security firm Group IB reported Wednesday. The attackers have been using the vulnerability to remotely execute code that installs malware from families, including DarkMe, GuLoader, and Remcos RAT.
From there, the criminals withdraw money from broker accounts. The total amount of financial losses and total number of victims infected is unknown, although Group-IB said it has tracked at least 130 individuals known to have been compromised. WinRAR developers fixed the vulnerability, tracked as CVE-2023-38831, earlier this month.
Weaponizing ZIP archives
“By exploiting a vulnerability within this program, threat actors were able to craft ZIP archives that serve as carriers for various malware families,” Group-IB Malware Analyst Andrey Polovinkin wrote. “Weaponized ZIP archives were distributed on trading forums. Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023.”
While Group-IB hasn’t detected the vulnerability being exploited in other settings or installing other malware families, it wouldn’t be surprising if that’s the case. In 2019, a similar WinRAR vulnerability tracked as CVE-2018-20250 came under active attack within weeks of becoming public. It was used in no fewer than five separate campaigns by separate threat actors.
WinRAR has more than 500 million users who rely on the program to compress large files to make them more manageable and quicker to upload and download. It’s not uncommon for people to immediately decompress the resulting ZIP files without inspecting them first. Even when people attempt to examine them for malice, antivirus software often has trouble peering into the compressed data to identify malicious code.
version 6.23 before using the program again.