News & Analysis

WinRAR Falls to Hackers

Bad news comes in bulk. Bad actors are exploiting a WinRaR bug to steal  assets and North Korea is on the verge of cashing crypto assets

When it rains, it pours, they say. Looks like cybercriminals are all set to make it pour, having exploited a zero-day vulnerability in WinRAR, the software archiving tool for Windows, to steal funds from broker accounts. On another front, North Korean bad actors are planning to cash in the assets stolen during past crypto attacks. 

The vulnerability in WinRAR was discovered by cybersecurity company Group-IB, which stated that the bug affected the processing of the ZIP file format in what was seen as a zero-day flaw, which means the company had no time to fix it. This resulted in hackers embedding malicious scripts in archive files in the form of jpeg images or dot.txt files to compromise machines.

The cybersecurity firm says hackers have exploited the vulnerability since April to spread malicious ZIP archives on trading forms. A report in TechCrunch quoted Group-IB officials to suggest that these files were posted across at least eight public forums that cover trading, investment and cryptocurrency-related subjects.  

North Korean hackers set to cash in on crypto heist

And if you thought that was enough bad news, the US government has warned that North Korean hackers were all set to cash out millions of dollars they’d stolen through several crypto hacks in the past. The FBI warned cryptocurrency companies of recent blockchain activity conducted by North Korea-backed Lazarus Group, also known as APT38. 

The FBI said that over the past 24 hours, it had tracked approximately 1,580 bitcoin — worth more than $40 million — that the North Korean hackers are currently holding in six separate crypto wallets. The FBI said these funds were stolen during “several” cryptocurrency heists. The agency has tracked around 1,580 bitcoin, which is worth over $40 million held by APT38. 

Financial sector on the radar of WinRAR hackers

Coming back to the WinRAR challenges, Group-IB says it came to light when admins of a targeted forum issued a warning to users and blocked accounts used by the attackers. Group-IB said the hackers managed to unlock such accounts and were continuing to spread malicious files via threads and private messages. 

So, when a user on such a forum opens the corrupted file, hackers get access to the victim’s brokerage accounts, where they perform illegal financial transactions and withdraw funds. The article quotes the cybersecurity firm to suggest that at least 130 traders’ devices were affected thus far though there is no data on actual financial losses. 

The company says the threat actor’s identity is still a mystery though it was observed that they were using DarkMe, a Visual Basic trojan previously used by a group known as Evilnum that has been active in the UK and Europe since 2018. However, the presence of a specific trojan may not be proof that the same group is behind the latest heist, Group-IB has said. 

Nearly $2 billion in crypto assets stolen

Coming back to the crypto heists, the FBI has issued an advisory to crypto companies asking them to examine recent blockchain data linked to six Bitcoin addresses and be on the lookout for any dubious transactions from them. “The FBI will continue to expose and combat the DPRK’s use of illicit activities to generate revenue for the regime,” it said.  

The name of the Lazarus Group has been linked to several crypto hacks including the $100 million heist from Harmony’s Horizon Bridge and the $625 million robbery from the Ronin Network, an Ethereum-based sidechain. Blockchain intelligence provider TRM Labs claims that North Korean hackers have thus far stolen close to $2 billion in crypto assets since 2018. 

Following the heist involving Atomic Wallet in June where hackers compromised over 5,500 customer wallets and stole $100 million, the US administration had announced a reward of $10 million dollars for any information related to the members of North Korean threat actors, including the Lazarus Group.  

Leave a Response