Days after fixing the vulnerability, details have surfaced online about a WinRAR zero-day vulnerability that went under attack. The researchers noticed active exploitation of the vulnerability to target traders. While the patch has already arrived, many devices still need users’ attention to receive the updates.
WinRAR Zero-Day Exploited In The Wild
Researchers from Group-IB have shared a detailed post about a zero-day vulnerability in WinRAR. Given WinRAR’s huge user base, the zero-day caused a severe threat to the users as it went under attack before the patch could arrive.
Specifically, the vulnerability, CVE-2023-38831, impacted the processing of the ZIP format, allowing the adversary to spoof the malicious executable file as a .jpg or .txt file within the archive. However, successfully exploiting the flaw required an attacker to lure the victim user into interacting with the infected file.
As elaborated, the researchers found the vulnerability being exploited for spreading the DarkMe malware. Some cases also showed the dissemination of other malware, such as GuLoader (CloudEye) and Remcos RAT. However, they noticed a specific pattern for the victims, mainly traders.
The threat actors leverage the vulnerability to create malicious archives that they upload on popular trading forums. To lure victims, the threat actors accompany the files with catchy texts to grab the attention of avid traders.
Clicking on the malicious zipped file would execute the embedded payload on the target device, allowing the attackers to withdraw money from the victims’ broker accounts.
Following this discovery, the researchers reported the matter to WinRAR developers, who patched the flaw. They released the fix with the WinRAR version 6.23 earlier this month.
However, at that time, the official RARLAB advisory didn’t state any details about this specific flaw, mentioning only the fix and highlighting another critical severity remote code execution reported earlier. But in the updated advisory, they have also confirmed patching the zero-day CVE-2023-38831.
Since this zero-day is already under attack, users must rush to update their systems with the latest WinRAR release to avoid the threat.
Let us know your thoughts in the comments.