Winrar 0Day Vulnerability Threatens Brokerage Accounts

Hackers Exploit Winrar Vulnerability to Steal Funds from Traders’ Accounts

September 28, 2022

Hackers are actively taking advantage of a recently discovered vulnerability in Winrar, a popular archiving program for Windows, to hack traders’ accounts and steal their funds. This vulnerability, known as Group-IB, was found in June of this year and affects the processing of ZIP files by the program.

The zero-day vulnerability allows attackers to hide malicious scripts in archival files, disguising them as “.jpg” image files or “.txt” text files, thus compromising targeted machines.

Since April of this year, attackers have been distributing harmful archives in specialized trading forums. Group-IB discovered these harmful archives placed on at least eight public forums related to trade, investments, and cryptocurrencies. The company has not disclosed the names of these forums.

After detecting malicious files on one of the forums, the administration issued a warning to its users and blocked the attackers’ accounts. However, Group-IB has found evidence that the hackers managed to unlock the accounts previously disconnected by the administration and are continuing to distribute malicious files.

When an infected file is opened, hackers gain access to the victims’ brokerage and can carry out illegal financial transactions. As of now, at least 130 traders’ devices have been infected.

It is currently unknown who is behind the exploitation of this vulnerability in Winrar. However, Group-IB has noted that the hackers have used the Trojan Darkme, which was previously associated with the Evilnum threat group. This threat group has been active in the UK and Europe since 2018, and is known for its attacks on financial organizations and online trading platforms.

Group-IB has reported the vulnerability to the developers of Winrar, and an updated version of the program (6.23) was released on August 2, addressing this issue.

/Reports, release notes, official announcements.