Cybercriminals exploit the vulnerability of the WinRAR archiver, but information about its existence has already been made public, and the developer has released an updated version of the program in which this vulnerability is closed. Experts of the Group-IB company discovered an increase in hacker activity.

A vulnerability in WinRAR allows attackers to disguise malicious scripts in archives by disguising them as innocent-looking JPG and TXT files. Hackers have been exploiting the archiver’s vulnerability since at least April of this year and placing malicious files on private trade forums; experts found such archives on eight platforms devoted to stock trading, investments and cryptocurrencies. In one case, the forum administration learned of the incident and deleted the files and blocked users who distributed them, but had the opportunity to remove the block and continue distributing the malicious data.

Group-IB said that when a victim opens such a file, hackers gain access to their brokerage account, allowing them to make illegal financial transactions and steal funds. At least 130 traders’ computers have been detected to be infected so far, but it is not possible to estimate the amount of financial losses at this stage.

There is no reliable information yet about the attackers, but it is known that the hackers used the DarkMe VisualBasic trojan, which was previously associated with the Evilnum group, also known as TA4563. It has been operating in Europe and the UK since at least 2018 and targets financial institutions and online trading platforms.