Skip to content

Search the site

WinRAR zero-day used to pack in malware for targeted attacks

A months-long malware campaign was seen exploiting a zero-day flaw in WinRAR for spear-phishing attacks aimed at traders and finance professionals

A zero-day flaw in the WinRAR compression tool is being targeted in the wild for attacks on financial accounts.

Researchers with security vendor Group-IB say that the now-patched vulnerability, designated CVE-2023-38831, has been exploited in attacks going back at least to April.

The vulnerability is the result of an error in the handling of .zip archives which allows the attacker to to spoof various file formats. This in turn allows the attackers to pack malware into an archive and then spoof a more benign format such as an image or text file.

The researchers said that while the attackers had used different malware payloads for different variations on the attack, the targets had a common theme: they looked to steal credentials for financial trading accounts.

Group-IB noted that some of the tools were repurposed malware payloads from the 2022 DarkCasino campaign, a malware attack from the Evilnum APT group that similarly looked to prey on finance professionals and high-value accounts.

Specifically, the attackers posted to at least eight different forums frequented by traders and cryptocurrency investors. Should a user click on the infected archive, the attackers would then harvest their credentials and attempt to empty out the victim's trading or bank accounts.

By the time Group-IB's Threat Intelligence team was able to spot the attacks in early July, it is thought that exploits had already been circulating for months on various financial trading forums.

"Initially, our research led us to believe that this was a known evolution of a vulnerability previously discovered by security researcher Danor Cohen in 2014," Group-IB explained.

"A method of modifying the ZIP header to spoof file extensions was observed, but further investigation revealed that this was not the case. Instead, our analysis revealed the existence of a new vulnerability in WinRAR."

The vulnerability was privately reported to WinRAR developer RARLAB who updated the tool in version 6.23, which went live for end-users on August 2. Users and administrators are being advised to update WinRAR with the patched version.

Even with a patch now having been available for weeks, it appears hundreds of PCs remain infected with the malware. Group-IB said that it has spotted at least 130 devices running the malicious payload from the .zip archive attacks.