Targeting Crypto Accounts Through Zero-Day Exploits On WinRAR

Credit by Pixabay

VTA-004457 – Targeting Crypto Accounts Through Zero-Day Exploits On WinRAR 

A possible link to Russia’s financially motivated Evilnum group has been identified in an ongoing cyber threat targeting users of online cryptocurrency trading communities. The attack strategy involves exploiting a previously unaddressed vulnerability in the widely used WinRAR file compression tool.

The vulnerability, named CVE-2023-38831, allowed malicious actors to inject malicious code into a ZIP archive and disguise it as a harmless file format such as “.jpg” or “.txt”. These compromised files were then shared on online cryptocurrency trading forums.

The attack, which began around April, happened before Group-IB researchers discovered the security flaw. After discovering the vulnerability, Group-IB notified WinRAR developer Rarlab, which released a beta update on July 20 and then a patched version (6.23) on August 2. Despite this, around 130 cryptocurrency trading forum systems are still infected. Group-IB advised the estimated 500 million users of WinRAR to immediately install an updated version to minimize their vulnerability.

Group-IB discovered this zero-day bug while investigating DarkMe, a remote access trojan originally discovered by NSFocus last year that was linked to Evilnum. This malware has spying capabilities and acts as a conduit for other malware. NSFocus discovered a DarkMe attack against online casinos and trading platforms internationally using Evilnum. The vulnerability itself is caused by the way WinRAR handles zip files, allowing attackers to hide malware tools in a ZIP archive and deliver them to targeted systems. Group-IB identified three variants of malware distributed by this method – DarkMe, GuLoader and Remcos RAT.

The attacker distributed the weaponized ZIP archives to eight public forums visited by online marketers. These archives have been added to forum posts or sent as private messages to gain attention and often appear to provide valuable business information. Forum administrators occasionally detected malicious files and warned users about them, but the threat remained. There have been cases where attackers have taken over banned accounts to further distribute malware.

Once installed, the malware infiltrated victims’ business accounts and made unauthorized transactions with funds. Although the DarkMe Trojan suggests the involvement of Evilnum, Group-IB has not definitively attributed the WinRAR attacks to this threat group.


Technical Impact Analysis:
Loss of Confidentiality

Business Impact Analysis:
Privacy Violation

Attack Surfaces:

Indicator or Compromise:


SuperPRO’s Threat Countermeasures Procedures: 
1. Update WinRAR to the latest patched version.
2. Ensure that your security software is up to date and configured to detect and block malware threats.
3. Do not download attachments by unknown individuals as it may contain malicious files.
4. Use strong passwords and don’t reuse them across different websites.
5. Enable two-factor authentication (2FA) on all your accounts.
6. Never share your private keys or seed phrases with anyone.
7. Store your cryptocurrency in a secure hardware wallet
8. Avoid clicking on links or downloading attachments from unknown or suspicious sources.
9. Continuously monitor your network traffic for any unusual or suspicious activity.

Contributed by: Sazrul