The threat actors are exploiting a zero-day vulnerability in WinRAR to install malware. Tracked as CVE-2023-38831, the vulnerability may allow threat actors to hide malicious code in zip archives posing as “.jpg,” “.txt,” and other file formats. In addition, the vulnerability may also allow the threat actors to go ahead and distribute this code in online cryptocurrency trading forums.
The vulnerability has been under exploitation since April 2023, even before it was discovered and reported by Group-IB security researchers to Rarlab. The vulnerability was found by the Group-IB while researching the DarkMe malware. DarkMe was a previously unknown vulnerability in WinRAR’s processing of the ZIP file format.
Rarlab, the developers and distributors of WinRAR, released a beta patch on July 20 and an updated version of WinRAR (version 6.23) on August 2. The Group-IB report says 130 devices on forums that people use to trade cryptocurrency remain infected.
CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog, acknowledging its active exploitation. CISA has urged users to patch the vulnerability before September 14, 2023.
WinRAR is among the world’s most popular compression tools and has over 500 million users worldwide. The tool offers improved ways to compress files for efficient and secure file transfer. The tool also provides fast email transmission and well-organized data storage options.
Group-IB research shows that the vulnerability originates from a processing error in opening the file in the ZIP archive. The vulnerability allows attackers to deploy and discreetly distribute numerous malware programs to target systems via zip packages. Since its active exploitation, the vulnerability has helped spread various malware families, including DarkMe, GuLoader, and Remcos RAT.
Exploitation of the Vulnerability
The attackers mainly targeted the traders on public forums where traders routinely participate in discussions and exchange helpful information with one another. The threat actors uploaded the malware-loaded zip archive to a forum post or in private messages to other forum members. The malicious ZIP package was occasionally propagated on catbox.moe, a free file storage service.
In one of the groups, the threat actor claimed to share their best individual method for trading bitcoin in one post and included the malicious zip files. Group-IB also saw the threat actor log into forum accounts and put malware into active discussion threads.
On a few occasions, forum administrators discovered that malicious files were being circulated over their websites and tried to alert users to the danger. The threat actor persisted in posting on the forum with malicious attachments, regardless of these alerts.
The vulnerability affects WinRAR versions before 6.23.
The vendor recommends its users install WinRAR 6.23 to patch the vulnerability.
For more information, please refer to the WinRAR Release Note.
Qualys customers can scan their devices with QID 378790 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.