Hackers are exploiting a previously unknown WinRAR flaw to target traders and steal digital funds. Patch immediately.
Hackers are exploiting a previously unknown flaw in WinRAR (CVE-2023-38831), a trusted file archive utility commonly used on Windows. The vulnerability has been used in targeted attacks against traders, with attackers using it to deliver malware that steals digital funds.
How the Exploit Works
The flaw lies in how WinRAR handles ZIP archives that contain a benign-looking file (such as a PDF) alongside a folder of the same name containing a malicious executable. When the user double-clicks the benign file inside WinRAR, the application instead executes the malicious file from the same-named folder. The user sees the document they expected; the malware runs in the background.
What to Do
- Update WinRAR to version 6.23 or later immediately.
- Where possible, replace WinRAR with a vendor-managed alternative on user endpoints.
- Detect with EDR rules for WinRAR.exe spawning unexpected child processes (cmd.exe, powershell.exe, executables from temporary directories).
- For trading desks and any high-value targeted user, treat any exposure during the vulnerability window as worth a hunt.
Targeted attacks against finance and trading desks are accelerating. Patch hygiene on file utilities is a small effort with outsized payoff.
