A recently patched security vulnerability in the WinRAR compression software has been exploited as a zero-day vulnerability since April 2023, according to new findings from Group-IB.
The vulnerability, tracked as CVE-2023-38831, allows threat actors to spoof file extensions to launch malicious scripts within compressed packages disguised as seemingly innocuous images or text files. Version 6.23, released on August 2, 2023, patched this vulnerability, along with CVE-2023-40477.
In an attack discovered by the Singapore-based firm in July 2023, specially crafted ZIP or RAR archives distributed through trading-related forums such as Forex Station were used to spread various malware, including DarkMe, GuLoader and Remcos RAT.
After infecting devices, cybercriminals withdraw funds from brokerage accounts, said Andrey Polovinkin, Group-IB malware analyst. The total number of victims and the resulting economic losses are not yet known.
Booby-trapped archives are created by containing an image file and a folder with the same name.
So when the victim clicks on the image, the batch script in the folder is executed and then used to start the next stage, which is the SFX CAB archive for extracting and launching other files. At the same time, the script also loads a decoy image so as not to raise suspicion.
Porovenkin told The Hacker News: CVE-2023-38831 is caused by a processing error when opening files in ZIP archives. The weaponized ZIP archive was distributed on at least 8 popular trading forums, so the geographical location of the victims is very broad and the attack does not target a specific country or industry.
It is not yet known who is behind the attack exploiting the WinRAR vulnerability. Nonetheless, DarkMe, a Visual Basic Trojan belonging to the EvilNum group, was first documented by NSFOCUS in September 2022 in connection with a phishing campaign targeting a European online gambling and trading service codenamed DarkCasino.
Also spread using this method is a malware called GuLoader (aka CloudEye), which then tries to fetch the Remcos RAT from a remote server.
Polovinkin said: The recent case of exploiting CVE-2023-38831 reminds us that the risks associated with software vulnerabilities are always present. Attackers are resourceful, and they are always finding new ways to discover and exploit vulnerabilities.