Security
Headlines
HeadlinesLatestCVEs

Headline

WinRAR users update your software as 0-day vulnerability is found

By Habiba Rashid The 0-day vulnerability in WinRAR, which has been exploited, is targeting traders and has successfully stolen funds from 130 victims so far. This is a post from HackRead.com Read the original post: WinRAR users update your software as 0-day vulnerability is found

HackRead
#vulnerability#rce#auth#zero_day#sap

KEY FINDINGS

  • A zero-day vulnerability in WinRAR has been exploited by hackers to target traders.

  • The flaw lets hackers conceal malicious scripts within seemingly innocent archive files.

  • The hackers have targeted specialized trading forums to distribute the malicious files.

  • Once a victim opens the malicious file, the hackers can gain unauthorized access to their brokerage accounts.

  • Approximately 130 traders have fallen victim to this scheme, and the financial losses are still being calculated.

Cybersecurity experts have unveiled a concerning situation involving a zero-day vulnerability in the widely-used archiving tool, WinRAR. This vulnerability, which was discovered by cybersecurity company Group-IB, has been skillfully exploited by cybercriminals to compromise the security of traders and potentially pilfer funds.

The vulnerability centers around the processing of ZIP file formats by WinRAR. Essentially, it allows hackers to conceal malicious scripts within seemingly innocent archive files, such as images or text documents, thus deceiving victims into unknowingly opening them. Group-IB first identified this 0-Day vulnerability in June, but its researchers suspect that hackers have been taking advantage of it since April.

The attackers’ modus operandi revolves around targeting specialized trading forums. These malicious ZIP archives, cleverly disguised, found their way onto at least eight public forums. Although Group-IB has refrained from disclosing the names of these forums, it has confirmed that they cover a spectrum of subjects, from trading and investments to cryptocurrency-related discussions.

One of these forums, after detecting the presence of malevolent files, issued a warning to its users and took measures to block the attackers’ accounts. Despite this, Group-IB noted that the hackers demonstrated the ability to reactivate disabled accounts, allowing them to continue spreading their damaging files either through threads or private messages.

The aftermath of an unwitting victim opening one of these files is dire. Hackers gain unauthorized access to the victim’s brokerage accounts, providing them with the means to execute illicit financial activities and potentially withdraw funds. At the time of Group-IB’s report, approximately 130 traders had fallen victim to this scheme. However, specific financial losses remain uncertain.

A trader discussing how they were targeted in this campaign (Group -IB)

Remarkably, Group-IB managed to interview a victim who recounted an attempted money withdrawal by the hackers, which fortunately did not succeed. The identities of these cybercriminals remain shrouded in mystery. Nevertheless, Group-IB has identified the use of a Visual Basic trojan called DarkMe, which has previously been associated with the notorious “Evilnum” threat group.

Evilnum, also known as “TA4563,” has a track record of financially motivated activities primarily directed towards financial organizations and online trading platforms. While Group-IB recognized the DarkMe trojan, it was cautious in directly linking this campaign to the Evilnum group.

Taking responsible action, Group-IB promptly reported the vulnerability, and assigned CVE-2023-38831, to the makers of WinRAR, Rarlab. As a result, an updated version of WinRAR (version 6.23) was released on August 2nd, aimed at addressing this critical security concern.

Infection Chain (Group -IB)

WinRAR has been affected by vulnerabilities several times in the past. In October 2021, a remote code execution vulnerability was found in WinRAR’s free trial version 5.70, allowing attackers to execute arbitrary code on vulnerable systems. By manipulating a dialogue box, attackers could exploit the bug, potentially launching various attacks. The issue was addressed in WinRAR v. 6.02 released on June 14, 2021.

Further back in March 2019, it was discovered that WinRar has a code execution vulnerability lasting for 19 years. Over 100 exploits emerged, targeting users in the USA. Attackers could plant undetectable malware when users opened ZIP files, affecting all WinRar versions for the past 19 years. The malware activated on system reboot, with only a few antivirus programs detecting it. One exploit was disguised as a bootleg Ariana Grande album.

If you use WinRAR, update your software ASAP!

Related news

Cloudflare Warns of India-Linked Hackers Targeting South and East Asian Entities

An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2). Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, which is also called Outrider Tiger and Fishing Elephant. "Between late 2022 to present, SloppyLemming

Cybersecurity Agencies Warn of China-linked APT40's Rapid Exploit Adaptation

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have released a joint advisory about a China-linked cyber espionage group called APT40, warning about its ability to co-opt exploits for newly disclosed security flaws within hours or days of public release. "APT 40 has previously targeted organizations in various countries, including

UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine

By Waqas UAC-0099 is a pro-Russian hacking group that has been targeting Ukraine since the conflict between the two countries began. This is a post from HackRead.com Read the original post: UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine

UAC-0099 Using WinRAR Exploit to Target Ukrainian Firms with LONEPAGE Malware

The threat actor known as UAC-0099 has been linked to continued attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE. "The threat actor targets Ukrainian employees working for companies outside of Ukraine," cybersecurity firm Deep Instinct said in a Thursday analysis. UAC-0099 was first

Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group

By Waqas Forest Blizzard (aka STRONTIUM, APT28, and Fancy Bear) is thought to have affiliations with or support from the Russian military intelligence agency. This is a post from HackRead.com Read the original post: Microsoft Outlook Vulnerability Exploited by Russian Forest Blizzard Group

Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks

A new phishing attack has been observed leveraging a Russian-language Microsoft Word document to deliver malware capable of harvesting sensitive information from compromised Windows hosts. The activity has been attributed to a threat actor called Konni, which is assessed to share overlaps with a North Korean cluster tracked as Kimsuky (aka APT43). "This campaign relies on a remote access trojan

Russian Cyber Espionage Group Deploys LitterDrifter USB Worm in Targeted Attacks

Russian cyber espionage actors affiliated with the Federal Security Service (FSB) have been observed using a USB propagating worm called LitterDrifter in attacks targeting Ukrainian entities. Check Point, which detailed Gamaredon's (aka Aqua Blizzard, Iron Tilden, Primitive Bear, Shuckworm, and Winterflounder) latest tactics, branded the group as engaging in large-scale campaigns that are

Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw

A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT). Cybersecurity company NSFOCUS has described DarkCasino as an "economically motivated" actor that first came to light in 2021. "DarkCasino is an APT threat actor with strong technical and learning ability, who is good

SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities

The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a

APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

By Deeba Ahmed All a user needs to do is visit the official WinRAR website and install the latest version to thwart the attack. This is a post from HackRead.com Read the original post: APTs Exploiting WinRAR 0day Flaw Despite Patch Availability

Patch Now: APTs Continue to Pummel WinRAR Bug

State-sponsored cyber espionage actors from Russia and China continue to target WinRAR users with various info-stealing and backdoor malware, as a patching lag plagues the software's footprint.

Google TAG Detects State-Backed Threat Actors Exploiting WinRAR Flaw

A number of state-back threat actors from Russia and China have been observed exploiting a recent security flaw in the WinRAR archiver tool for Windows as part of their operations. The vulnerability in question is CVE-2023-38831 (CVSS score: 7.8), which allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The shortcoming has been actively

Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign

Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems. "The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 and traced as

Beware: Fake Exploit for WinRAR Vulnerability on GitHub Infects Users with VenomRAT

A malicious actor released a fake proof-of-concept (PoC) exploit for a recently disclosed WinRAR vulnerability on GitHub with an aim to infect users who downloaded the code with VenomRAT malware. "The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as

WinRAR Remote Code Execution

This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.

Ukraine's CERT Thwarts APT28's Cyberattack on Critical Energy Infrastructure

The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country. The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain. “Visiting the link will download a ZIP archive containing three JPG images (

August 2023: GitHub PoCs, Vulristics, Qualys First-Party, Tenable ExposureAI, SC Awards and Rapid7, Anglo-Saxon list, MS Patch Tuesday, WinRAR, Juniper

Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]

WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders

A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as CVE-2023-38831, allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files.

CVE-2023-38831

RARLabs WinRAR before 6.23 allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The issue occurs because a ZIP archive may include a benign file (such as an ordinary .JPG file) and also a folder that has the same name as the benign file, and the contents of the folder (which may include executable content) are processed during an attempt to access only the benign file. This was exploited in the wild in April through August 2023.