Skip to content

Hackers exploit WinRAR bug to steal funds from brokers

Hackers exploit WinRAR bug to steal funds from brokers


Cybercriminals Exploit Zero-Day Vulnerability in WinRAR to Steal Funds

Cybercriminals are profiting from a zero-day vulnerability in WinRAR, a preferred shareware archiving device for Home windows, to focus on merchants and steal funds. This vulnerability, found by cybersecurity firm Group-IB, impacts the processing of the ZIP file format by WinRAR. The flaw permits hackers to cover malicious scripts in archive recordsdata, resembling jpg photos or txt recordsdata, so as to compromise goal machines.

Malicious ZIP Archives on Buying and selling Boards

Group-IB reviews that hackers have been exploiting this vulnerability since April by spreading malicious ZIP archives on specialist buying and selling boards. At the very least eight public boards have been discovered to include these malicious recordsdata, overlaying varied buying and selling, funding, and cryptocurrency-related topics. The focused boards stay unnamed by Group-IB.

One discussion board grew to become conscious of the malicious recordsdata being shared and issued a warning to its customers. The directors additionally took steps to dam the accounts utilized by the attackers. Nevertheless, proof means that the hackers had been capable of unlock disabled accounts to proceed spreading malicious recordsdata.

Hackers Achieve Entry to Brokerage Accounts

As soon as a consumer from the focused discussion board opens the malware-laced file, the hackers achieve entry to their victims’ brokerage accounts. This enables them to hold out illicit monetary transactions and withdraw funds. Group-IB states that no less than 130 merchants’ units have been contaminated on the time of writing. Nevertheless, the monetary losses related to this exploit usually are not but recognized.

One sufferer shared with Group-IB researchers that the hackers tried to withdraw their funds however had been unsuccessful.

DarkMe Trojan and Evilnum Menace Group

The id of these accountable for the WinRAR zero-day exploitation stays unknown. Nevertheless, Group-IB noticed the hackers utilizing DarkMe, a VisualBasic trojan beforehand linked to the Evilnum risk group.

Evilnum, also called TA4563, is a financially motivated risk group that has been energetic within the U.Okay. and Europe since 2018. They primarily goal monetary organizations and on-line buying and selling platforms. Group-IB, whereas figuring out the DarkMe trojan, can not definitively hyperlink the recognized marketing campaign to the Evilnum group.

Patching the Vulnerability

Group-IB reported the vulnerability, often called CVE-2023-38831, to WinRAR-maker Rarlab. A repair for the difficulty was launched on August 2 within the type of an up to date model of WinRAR (model 6.23).


The exploitation of the WinRAR zero-day vulnerability highlights the continued risk cybercriminals pose to merchants and their funds. By spreading malicious ZIP archives on buying and selling boards, hackers achieve entry to victims’ brokerage accounts and perform illicit monetary transactions. The usage of the DarkMe trojan, linked to the Evilnum risk group, additional intensifies the severity of the assaults. With the discharge of a patched model, it’s essential for WinRAR customers to replace to guard themselves from this vulnerability.


What’s a zero-day vulnerability?

A zero-day vulnerability is a software program safety flaw that’s unknown to the developer/vendor. Hackers exploit these vulnerabilities earlier than the seller has a possibility to repair them.

How are hackers exploiting the WinRAR zero-day vulnerability?

Hackers are utilizing the zero-day vulnerability in WinRAR to cover malicious scripts in archive recordsdata. These recordsdata can seem as harmless picture or textual content recordsdata however include code that compromises goal machines.

How are merchants being focused?

Merchants are being focused by way of the distribution of malicious ZIP archives on buying and selling boards. When a sufferer opens considered one of these recordsdata, the hackers achieve entry to their brokerage accounts, enabling them to conduct fraudulent monetary transactions.

Who’s the Evilnum risk group?

The Evilnum, also called TA4563, is a financially motivated risk group that focuses on concentrating on monetary organizations and on-line buying and selling platforms within the U.Okay. and Europe. They’re recognized for his or her subtle techniques and have been energetic since 2018.

How can WinRAR customers defend themselves from this vulnerability?

WinRAR customers ought to guarantee they’ve up to date to the newest model (6.23) launched on August 2. This model features a patch for the vulnerability, defending customers from exploitation. Repeatedly updating software program is a vital safety apply to remain protected in opposition to recognized vulnerabilities.


For extra info, please refer this link