WinRAR Security Flaw Exploited in Zero-Day Attacks

A recently patched security flaw in the popular archiving software WinRAR has been exploited as a Zero-Day since April 2023.

The vulnerability, cataloged as CVE-2023-38831, allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files. It was addressed in version 6.23 released on August 2, 2023, alongside CVE-2023-40477.

In attacks discovered by the Singapore-based firm in July 2023, specially crafted ZIP or RAR archive files distributed via trading-related forums such as Forex Station have been used to deliver a variety of malware families such as DarkMe, GuLoader, and Remcos RAT.

“After infecting devices, the cybercriminals withdraw money from broker accounts,” Group-IB malware analyst Andrey Polovinkin said, adding as many as 130 traders’ devices have been compromised as part of the campaign. The total number of victims and financial losses stemming from this activity are currently not clear.

The booby-trapped archive file is created such that it contains an image file as well as a folder with the same name.

WinRAR

As a result, when a victim clicks on the image, a batch script present within the folder is executed instead, which is then used to launch the next-stage, an SFX CAB archive designed to extract and launch additional files. At the same time, the script also loads the decoy image so as not to arouse suspicion.

“CVE-2023-38831 is caused by a processing error when opening the file within the ZIP archive,” Polovinkin said. “The crafted ZIP files have been distributed across at least 8 popular underground forums, resulting in a broad geolocation of victims, and the attacks are not targeted towards specific countries or industries.”

It’s not yet known who is behind the attacks leveraging the WinRAR flaw. That said, DarkMe is a Visual Basic trojan attributed to the EvilNum group, first documented by NSFOCUS in September 2022 in connection with a phishing campaign codenamed DarkCasino targeting European online gambling and trading services.

Also delivered using this method is a malware strain called GuLoader (aka CloudEye) that subsequently attempts to fetch Remcos RAT from a remote server.

“Recent cases of exploitation of CVE-2023-38831 remind us of the constant risks connected to software vulnerabilities,” Polovinkin said. “Threat actors are highly resourceful, and they will always find new ways to discover and subsequently exploit vulnerabilities.”

Related Posts
Devel Group
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.