If you use WinRAR, it’s time to patch. Since April, hackers have been exploiting a previously unknown vulnerability in the software to spread malware to unsuspecting victims.
The findings come from cybersecurity firm Group-IB, which spotted hackers abusing the flaw to infect at least 130 devices with malware. Group-IB today warned about the dangers, days after a second vulnerability, dubbed CVE-2023-40477, was disclosed in WinRAR, which can also be abused to launch malware.
The vulnerability uncovered by Group-IB has been designated CVE-2023-38831. By abusing the flaw, a hacker can “spoof” a file extension in an archive file, making it easy to hide malicious programs under benign file formats, such as .jpg or .txt.
Group-IB found that hackers exploited the flaw to create ZIP archives containing malicious programs such as DarkMe, GuLoader, and Remcos RAT, which can act as spyware, download additional malware, or hijack a computer. The hackers then uploaded the malicious ZIP archives to public forums frequented by financial traders.
“After infecting devices, the cybercriminals withdraw money from broker accounts. The total amount of financial losses is still unknown,” according to Group-IB, which also discovered the malicious ZIP archives on “at least eight popular trading forums.”
After discovering the flaw in July, Group-IB reported its findings to WinRAR, which was quick to address the problem. On Aug. 2, the team released a fix through WinRAR version 6.23, which patches both CVE-2023-38831 and CVE-2023-40477.
Because WinRAR has over 500 million users, any serious flaw in the software risks endangering numerous victims, unless they download the latest version. Group-IB notes that WinRAR is so popular, it’s also often used to open archive files sent via email. Hence, users should consider updating as soon as possible.