Still a dedicated WinRar user? You need to update your software right now, especially if you’ve got cryptocurrency. A zero-day vulnerability in WinRar has been allowing hackers to break into trading accounts, and they’ve been actively working this exploit since April. The same vulnerability could be used to install other types of malware on your system as well,.
The way it works: You open a malicious zip file in WinRAR, which is your default program for all compressed file formats on your PC (after you’ve installed WinRar, of course). It’s full of seemingly innocent documents—PDFs, text files, JPG images. You double click on one to open it, which it does. But unbeknownst to you, WinRAR was also tricked into loading a script in the background, which installs malware that lets attackers steal money from brokerage accounts.
As reported by Bleeping Computer, WinRAR version 6.23 fixes this issue along with others, like a flaw that allows commands to be executed if you open certain kinds of rar files. (That is, rar files created in a specific way to exploit that flaw.) It released on August 2 and should be available to all WinRAR users.
Group-IB (via Bleeping Computer)
Cybersecurity company Group-IB discovered this vulnerability (filed as CVE-2023-38831) while tracking the spread of the DarkMe malware family, which has been linked previously to financial attacks. The tainted zip files, which were posted on forums for cryptocurrency and stock trading, contained DarkMe and other malware families like GuLoader and Remcos. The latter two families allow more malware to be downloaded and installed on your PC, as well as giving the ability to run any command, record keystrokes, screen capture, manage files, and more to the attacker. (For deeper technical details, check out Bleeping Computer’s rundown of the exploit.)
At the time of Group-IB’s report, 130 traders have been confirmed as infected. The zip files were shared on at least eight forums, all under the guise of helping others improve their income. Currently, the full victim count and amount of financial damages are not yet known.
If nothing else, this WinRAR attack is yet another reminder that the old security tip of never downloading strange files off the internet (much less opening) them still remains true. It can also be seen as more incentive to upgrade to Windows 11, which will soon natively support compressed file formats like rar, 7-Zip, and gz—no need for third-party software.
Alaina Yee is PCWorld’s resident bargain hunter—when she’s not covering software, PC building, and more, she’s scouring for the best tech deals. Previously her work has appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. You can find her on Twitter at @morphingball.