Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Evilnum back in action?
Hackers are actively exploiting a recently discovered vulnerability in the popular Windows archiving program, WinRAR, to break into traders ' accounts and steal their funds. The vulnerability was discovered by Group-IB in June of this year and affects the processing of ZIP files by the program.
The zero-day vulnerability allows attackers to hide malicious scripts in archive files, disguising them as images ."jpg" or ".txt " text files, which in turn compromises the target machines.
Since April of this year, hackers have been distributing malicious archives on specialized trading forums. Group-IB has discovered malicious archives hosted on at least eight public forums related to trading, investing, and cryptocurrencies. The company did not disclose the names of these forums.
After detecting malicious files on one of the forums, the administration warned its users and blocked the accounts of the attackers. However, Group-IB found evidence that hackers managed to unblock accounts disabled by the administration and continue distributing malicious files.
When an infected file is opened, hackers gain access to victims brokerage accounts and can conduct illegal financial transactions. To date, the devices of at least 130 traders have been infected.
It is not known who is behind the exploitation of this vulnerability in WinRAR. However, Group-IB noted that hackers used the DarkMe Trojan, previously linked to the threat group "Evilnum", active in the UK and Europe since 2018 and known for its attacks on financial institutions and online trading platforms.
Group-IB reported the vulnerability to WinRAR developers, and on August 2, an updated version of the program (6.23) was released, in which the problem was fixed.
Hackers are actively exploiting a recently discovered vulnerability in the popular Windows archiving program, WinRAR, to break into traders ' accounts and steal their funds. The vulnerability was discovered by Group-IB in June of this year and affects the processing of ZIP files by the program.
The zero-day vulnerability allows attackers to hide malicious scripts in archive files, disguising them as images ."jpg" or ".txt " text files, which in turn compromises the target machines.
Since April of this year, hackers have been distributing malicious archives on specialized trading forums. Group-IB has discovered malicious archives hosted on at least eight public forums related to trading, investing, and cryptocurrencies. The company did not disclose the names of these forums.
After detecting malicious files on one of the forums, the administration warned its users and blocked the accounts of the attackers. However, Group-IB found evidence that hackers managed to unblock accounts disabled by the administration and continue distributing malicious files.
When an infected file is opened, hackers gain access to victims brokerage accounts and can conduct illegal financial transactions. To date, the devices of at least 130 traders have been infected.
It is not known who is behind the exploitation of this vulnerability in WinRAR. However, Group-IB noted that hackers used the DarkMe Trojan, previously linked to the threat group "Evilnum", active in the UK and Europe since 2018 and known for its attacks on financial institutions and online trading platforms.
Group-IB reported the vulnerability to WinRAR developers, and on August 2, an updated version of the program (6.23) was released, in which the problem was fixed.
