Group-IB: Discovers Zero-Day Vulnerability Exploited by Threat Actors in WinRAR

Category: Vulnerability | Industry: Financial | Source: Group-IB

Exploitation of a zero-day vulnerability in WinRAR tracked as CVE-2023-38831 was discovered and reported by the Group-IB Threat Intelligence. The identified vulnerability (CVE-2023-38831) enables attackers to spoof file extensions, disguising malicious scripts within archives that appear to be harmless images or text files. The cybercriminals distribute these malicious ZIP archives on public forums, targeting traders specifically. Cybercriminals have been tracked using this vulnerability since April 2023, distributing malicious ZIP archives that serve as precursors for various malware families, including DarkMe, GuLoader, and Remcos RAT.

Once a victim opens the decoy file, the malicious script is executed, initiating the attack. Group-IB identified the vulnerability as a result of a "processing error in opening the file in the ZIP archive," which can lead to unintended execution of scripts. Although some overlaps in tooling were observed, such as between DarkMe Trojan and EvilNum, no definitive conclusions were made from Group-IB regarding the threat actor attribution. Through the efforts of Group-IB's research, RARLAB, and Eugene Roshal, the developer of the RAR file format and WinRAR file archiver, the vulnerability has been patched through WinRAR version (6.23) which was released on August 2nd, 2023. Group-IB encourages all users to update to the latest version of WinRAR to mitigate the risks of CVE-2023-38831.