A zero-day vulnerability in WinRAR, identified as CVE-2023-38831, has been actively used to install malware onto devices, facilitating the hacking of online cryptocurrency trading accounts. This flaw has been exploited since April 2023, allowing the spread of various malware families, including DarkMe, GuLoader, and Remcos RAT. The vulnerability enabled attackers to create malicious .RAR and .ZIP archives that appeared to contain harmless files, such as .jpg images, .txt text files, or .pdf documents. However, opening these files would trigger a script that installed malware onto the device.
Group-IB, the cybersecurity firm that uncovered the campaign, demonstrated how simply double-clicking on a PDF in a malicious archive would execute a CMD script to install malware. WinRAR addressed the zero-day in version 6.23, released on August 2, 2023, which also fixed several other security issues, including CVE-2023-40477, a flaw that could initiate command execution upon opening a specially crafted RAR file.
According to a report by Group-IB, the WinRAR zero-day was used to target cryptocurrency and stock trading forums. The attackers masqueraded as fellow enthusiasts, sharing links to specially crafted WinRAR ZIP or RAR archives that purportedly contained their trading strategies. These archives were distributed across at least eight public trading forums, infecting an estimated 130 traders' devices. The total number of victims and the financial impact of this campaign remain unknown.
Opening the archives would reveal what seemed to be an innocuous file, such as a PDF. However, clicking on the PDF would silently execute a script that installed malware onto the device. The script would also open a decoy document to avoid arousing suspicion. The vulnerability was triggered by specially crafted archives with a slightly modified structure, which caused WinRAR's ShellExecute function to receive an incorrect parameter when attempting to open the decoy file. This resulted in the program bypassing the harmless file and instead locating and executing a batch or CMD script.
The script would then launch a self-extracting (SFX) CAB archive that infected the computer with various types of malware, including DarkMe, GuLoader, and Remcos RAT. These malware strains provided remote access to the infected device. While the DarkMe malware has previously been linked to the financially motivated EvilNum group, it's unclear who exploited CVE-2023-38831 in this campaign. Given DarkMe's history in financially motivated attacks, it's plausible that the attackers targeted traders to steal their crypto assets. Remcos RAT offers the attackers more powerful control over infected devices, potentially facilitating espionage operations.
Group-IB first identified CVE-2023-38831 in July 2023 and has since published a detailed report on its exploitation. WinRAR users are encouraged to upgrade to the latest version, 6.23, as soon as possible to mitigate the risk of file spoofing and other recently-disclosed attacks.