Cyber Security Threat Summary:
According to Group-IB a WInRaR zero-day vulnerability was actively exploited to install malware when clicking on harmless files in an archive, allowing hackers to breach online cryptocurrency trading accounts. Tracked as CVE-2023-38831, the vulnerability is triggered by creating specially crafted archives with a slightly modified structure compared to safe files, which causes WinRAR's ShellExecute function to receive an incorrect parameter when it attempts to open the decoy file. In turn, this results in the program skipping the harmless file and instead locating and executing a batch or CMD script, so while the user assumes they open a safe file, the program launches a different one.

Security Officer Comments:
Since April 2023, this vulnerability has been actively exploited to distribute various malware families including DarkMe, GuLoader, Remcos RAT. In particular, several threat actors have been observed posting links to specially crafted WinRAR Zip or RAR archives on cryptocurrency and stock trading forums, that pretend to include trading strategies. When these archives are opened, users will see what appears to be a harmless PDF file. However, if the user double-clicks on the PDF, this will initiate the exploitation of CVE-2023-38831 which will then launch a script in the folder to install malware on the device. At the same time, these scripts will also load the decoy document so as not to arouse suspicion.

In total researchers at Group-IB observed malicious archives being distributed on at least eight public trading forums, infecting 130 confirmed trader’s devices. At the moment, the campaign has yet to be attributed to a known threat group. “Although the DarkMe malware strain has been associated with the financially motivated EvilNum group, it is unclear who leveraged CVE-2023-38831 in the recently observed campaign”

Suggested Correction(s):
The zero-day was fixed in WinRAR version 6.23, released on August 2, 2023. Users should apply the patches as soon as possible.

Link(s):
https://www.bleepingcomputer.com/