Security News > 2023 > August > Attackers exploited WinRAR zero-day for months to steal money from brokers (CVE-2023-38831)

Financially-motivated attackers have exploited a zero-day vulnerability in WinRAR to trick traders into installing malware that would allow them to steal money from broker accounts.

CVE-2023-38831 is a file extension spoofing vulnerability, which allowed attackers to create a modified RAR or ZIP archive containing harmless files and malicious ones.

"All the archives we identified were created using the same method. They also all had a similar structure, consisting of a decoy file and a folder containing a mix of malicious and unused files. If the user opens the decoy file, which appears as a.txt,.jpg. or another file extension in WinRAR, a malicious script is instead executed," Polovinkin explained.

The decoy file is opened, too, to complete the illusion, but in the background DarkMe, GuLoader, and/or Remcos RAT malware gets quietly installed, thus allowing attackers to remotely access the victim's computer.

"Taking one of the affected forums as an example, some of the administrators became aware that harmful files were being shared on the forum, and subsequently issued a warning to users. Despite this warning, further posts were made and more users were affected. Our researchers also saw evidence that the threat actors were able to unblock accounts that were disabled by forum administrators to continue spreading malicious files, whether by posting in threads or sending private messages," he added.

With all the vulnerability information that has been made public, other attackers may soon find ways to replicate the original exploit or even create easy-to-use tools that may allow less tech-savvy cyber crooks to create booby-trapped archive files.

News URL

https://www.helpnetsecurity.com/2023/08/23/cve-2023-38831-exploited/