Attackers exploited WinRAR zero-day for months to steal money from brokers (CVE-2023-38831)
Financially-motivated attackers have exploited a zero-day vulnerability in WinRAR (CVE-2023-38831) to trick traders into installing malware that would allow them to steal money from broker accounts.
“This vulnerability has been exploited since April 2023,” says Group-IB malware analyst Andrey Polovinkin. Devices of at least 130 traders (and likely more) have been infected with malware in this campaign.
CVE-2023-38831 exploited
CVE-2023-38831 is a file extension spoofing vulnerability, which allowed attackers to create a modified RAR or ZIP archive containing harmless files and malicious ones (scripts located in a folder with the same name as the harmless file).
“All the archives we identified were created using the same method. They also all had a similar structure, consisting of a decoy file and a folder containing a mix of malicious and unused files. If the user opens the decoy file, which appears as a .txt, .jpg. or another file extension in WinRAR, a malicious script is instead executed,” Polovinkin explained.
The decoy file is opened, too, to complete the illusion, but in the background DarkMe, GuLoader, and/or Remcos RAT malware gets quietly installed, thus allowing attackers to remotely access the victim’s computer.
Group-IB threat analysts discovered that CVE-2023-38831 was being exploited to spread the DarkMe malware in early July 2023.
“Initially, our research led us to believe that this was a known evolution of a vulnerability previously discovered by security researcher Danor Cohen in 2014. A method of modifying the ZIP header to spoof file extensions was observed, but further investigation revealed that this was not the case,” Polovinkin noted.
About the attack campaign
The threat actors targeted traders via specialized online forums, first engaging them in discussion and then supposedly offering documents that offered strategies or advice regarding specific problems or interests.
“Taking one of the affected forums as an example, some of the administrators became aware that harmful files were being shared on the forum, and subsequently issued a warning to users. Despite this warning, further posts were made and more users were affected. Our researchers also saw evidence that the threat actors were able to unblock accounts that were disabled by forum administrators to continue spreading malicious files, whether by posting in threads or sending private messages,” he added.
It is unknown how much money the threat actors were able to withdraw from victims’ broker accounts, or of which cybercriminal group they are part.
A fix is available
CVE-2023-38831 has been fixed by RARLAB in the latest WinRAR update (v6.23), along with a high-severity RCE vulnerability (CVE-2023-40477).
If you’re a WinRAR user, manually update to this version as soon as possible. With all the vulnerability information that has been made public, other attackers may soon find ways to replicate the original exploit or even create easy-to-use tools that may allow less tech-savvy cyber crooks to create booby-trapped archive files to exploit this flaw.