WinRAR Zero-Day Hack Exposes Crypto Accounts

The developers of the file compression software WinRAR have rectified a zero-day vulnerability that allowed hackers to install malware on the computers of unsuspecting victims and access their cryptocurrency and stock trading accounts.

On August 23, the Singapore-based cybersecurity company Group-IB disclosed a zero-day vulnerability in WinRAR’s handling of the ZIP file format.

The zero-day vulnerability identified as CVE-2023-38831 was exploited for approximately four months, allowing attackers to install malware when a victim clicked on archive files.

According to the report, the malware would then enable hackers to compromise online crypto and stock trading accounts.

Using the exploit, threat actors were able to generate malicious RAR and ZIP archives containing files that appeared to be harmless, such as JPG images and PDF documents.

“Once extracted and executed, the malware allows threat actors to withdraw money from broker accounts. This vulnerability has been exploited since April 2023.”

These weaponized ZIP archives were then disseminated on trading forums aimed at crypto traders, containing trading strategies such as “Best Personal Strategy for Trading with Bitcoin.

The report affirmed that malicious archives made their way onto at least eight public trading forums, infecting at least 130 devices; however, the financial losses sustained by the victim are unknown.

WinRar exploit infection chain. Source: Group-IB

Upon execution, the script initiates a self-extracting (SFX) archive that infects the target computer with various strains of malware, including DarkMe, GuLoader, and Remcos RAT.

These grant the perpetrator remote access privileges on the compromised system. DarkMe malware has been utilized in the past for cryptographic and financial-motivated attacks.

The researchers informed RARLABS, which rectified the zero-day vulnerability in the August 2 release of WinRAR version 6.23.

In August, BlackBerry identified several malware families that actively targeted computers to mine or pilfer cryptocurrencies.

In the same month, a newly discovered remote access tool dubbed HVNC (Hidden Virtual Network Computer) was discovered for sale on the dark web. This tool allows hackers to compromise Apple operating systems.