Cyber criminals exploit a vulnerability in the WinRAR archiver, although information about its existence has already been published and the developer has released an updated version of the program in which this vulnerability has been fixed. Business experts noted an increase in hacker activity GroupIB.
The WinRAR vulnerability allows attackers to hide malicious scripts in archives and disguise them as seemingly harmless JPG and TXT files. Hackers have been exploiting the Archiver’s vulnerability since at least April this year by posting malicious files on specialized trading forums – experts have found such archives on eight websites dedicated to stock exchange trading, investments and cryptocurrencies. In one case, the forum administration found out about the incident, deleted the files and blocked the users who distributed them. However, they found a way to unblock it and continue spreading malware.
When a victim opens such a file, hackers gain access to their brokerage accounts, through which they conduct illegal financial transactions and steal funds, Group-IB said. So far it has been determined that at least 130 merchants’ computers have been infected, but the extent of the financial damage cannot be estimated at this time.
There is no reliable data on the organizers of the attack, but it is known that the hackers used the VisualBasic Trojan DarkMe, previously associated with the Evilnum group, also known as TA4563. It has been operating in Europe and the UK since at least 2018, targeting financial institutions and online trading platforms.