A zero-day vulnerability in WinRAR, the widely-used archiving tool for Windows, is being exploited by cybercriminals to target traders and pilfer funds. Discovered by cybersecurity company Group-IB in June, the flaw affects the processing of ZIP files by WinRAR. It allows hackers to embed malicious scripts within archive files camouflaged as common file formats like ".jpg" images or ".txt" files, effectively compromising targeted machines.

The vulnerability has been exploited since April, with hackers distributing malicious ZIP archives on specialized trading forums. Group-IB noted that at least eight public forums were used for spreading these archives, covering various trading, investment, and cryptocurrency-related topics.

Administrators of one targeted forum detected the presence of malicious files, warned their users, and attempted to block attacker accounts.

However, the hackers managed to reactivate disabled accounts to continue spreading the malicious files.

Upon opening the malware-laden file, victims' brokerage accounts are compromised, allowing hackers to conduct illicit financial transactions and withdraw funds. As of now, Group-IB has identified that at least 130 traders' devices are infected, though the extent of financial losses remains uncertain.

The identity of those behind the exploitation of the WinRAR zero-day is currently unknown. Group-IB observed the use of DarkMe, a VisualBasic trojan previously linked to the "Evilnum" threat group, but couldn't definitively attribute the campaign to this financially motivated group.

Group-IB reported the vulnerability, identified as CVE-2023-38831, to WinRAR's developer, Rarlab. An updated version of WinRAR (6.23) was released on August 2 to address the issue.