Active Risk Alert: Traders Targeted via WinRAR Vulnerability

Author

ACA Aponix

Publish Date

Type

Cyber Alert

Topics
  • Cybersecurity

A zero-day vulnerability has been identified in versions of compression tool WinRAR predating August 2, 2023. The vulnerability, assigned the marker CVE-2023-38831, has been exploited by financially motivated attackers since April 2023, targeting traders in a likely attempt to compromise accounts such as brokerages.

Path of attack

Attackers primarily targeted online forums popular with traders, engaging potential victims in discussion, and then offering documents stated to contain strategies or advice regarding relevant topics within each forum (click here for an example screenshot). Security firm, Group-IB, found that files sent to target traders were modified. The compressed files contained a decoy file and a folder containing both harmless and malicious files with the same names. The targeted user’s attempts to open the decoy file causes a malicious script to be executed by WinRAR in the background, installing malware which allows attackers to access the victim’s device remotely.

Impact

Devices of at least 130 traders have been affected through attacks on at least 8 public forums. These forums are yet to be named, and so far the financial impact resultant from these attacks is unknown.

Upon receiving report of the vulnerability, RARLab, the maker of the WinRAR tool, released a patch for the issue with their updated version of the application on August 2, 2023.

Recommended action

Firms should encourage staff and clients to manually update the WinRAR tool to the most recent version, 6.23, to ensure the vulnerability has been addressed. Companies should also enforce the use of standard user accounts instead of administrator accounts wherever possible.

Additionally, staff and clients should be reminded that caution should be exercised when interacting with others on a public forum.

How we help

ACA provides services to help organizations tackle threats such as phishing, including:

Learn more about our additional solutions here.

For questions about this alert, or to find out how we can help you meet your regulatory cybersecurity obligations, please reach out to your trusted cyber advisor or contact us here.

Contact Us