Evilnum-Linked Actor Exploits WinRAR Bug to Target Cryptocurrency Traders
Threat Actor Linked To Russia's Evilnum Group
Overt Operator
August 24, 2023
A potential threat actor linked to Russia's financially motivated Evilnum group has been targeting users within online cryptocurrency trading forums. The attacker exploited a recently patched vulnerability in the widely used WinRAR file compression and archiving tool.
The bug allowed the malicious actor to conceal harmful code within files posing as common formats, such as ".jpg" and ".txt," and distribute them within cryptocurrency trading forums.
Since at least April, cyberattacks exploiting a vulnerability known as CVE-2023-38831 have been observed targeting users active in online cryptocurrency trading forums.
The vulnerability was identified in the widely used WinRAR software, which permits attackers to embed malicious code within zip archives disguised as seemingly innocuous files. These corrupted files were then distributed across various online cryptocurrency trading platforms.
Group-IB, a renowned cybersecurity research firm, discovered this previously unknown security flaw in WinRAR while investigating activities linked to the DarkMe remote access Trojan.
The Trojan, initially uncovered by security vendor NSFocus last year, was attributed to the Evilnum group. The malware exhibits a range of capabilities, including espionage functions and the ability to load other malicious software. Evilnum employed DarkMe in attacks against online casinos and trading platforms in multiple nations.
The attacker's modus operandi typically involved appending malware-laden zip archives to forum posts or sending them as private messages to forum members. To pique interest, the attacker chose post topics relevant to the forum's focus.
For example, one post purported to share a top-tier bitcoin trading strategy, accompanied by the malicious zip archive. Group-IB additionally observed instances where the attacker infiltrated forum accounts to embed their malware within ongoing discussions.
In select cases, the attacker distributed the compromised zip archives using the file storage service "catbox.moe." Upon infecting a system, the malware gained unauthorized access to victims' trading accounts and proceeded to execute transactions designed to siphon funds from the accounts.