A bug in the way WinRAR handles .ZIP files is being exploited to steal money from crypto traders and other market speculators.
Analysis from cybersecurity experts Group-IB discovered a group of criminals started distributing a malicious .ZIP archive across multiple forums where traders gather to share ideas, experiences, and similar.
Visitors to at least eight such forums were targeted by the zero-day flaw, tracked as CVE-2023-38831, with the archive carrying a malicious script hidden inside a .JPG or .TXT file.
Hundreds of victims
While administrators to some of the forums were quick to react and warn their users of the attack, they weren’t fast enough, Group-IB said, stating that they found evidence of hackers unlocking accounts “that were disabled by forum administrators to continue spreading malicious files.”
The malware grants the attackers access to their victims’ brokerage accounts, the researchers further explained, which allowed them to pull the money out. At least 130 traders had their endpoints infected, Group-IB said, but the researchers don’t know how much money was stolen in the process.
One victim said the withdrawal was unsuccessful.
While the researchers don’t know for certain who is behind this campaign, they suspect the threat actor to be “Evilnum”, also known as “TA4563”, as both these groups used a Visual Basic trojan called DarkMe. Evilnum was first observed some five years ago, targeting trading platforms and financial organizations in the UK and Europe.
Cryptocurrency traders are a popular target among hackers due to the way the blockchain is designed. Once a transaction is initiated, in most cases it’s impossible to reverse.
The flaw has since been fixed with a patch, and if you’re worried about being targeted, make sure your WinRAR is on version 6.23.