WinRAR has recently been found to contain a zero-day remote code execution vulnerability that has been used in the wild to spread multiple malware families, including DarkMe, GuLoader, and RemcosRAT. Researchers from Group-IB claim that the attacks that take advantage of the vulnerability have been going on since April. After being installed on a computer, the virus accesses the victim’s trading accounts and carries out illicit withdrawals of money.
While keeping an eye on the DarkMe malware activity, Group-IB analysts discovered the attack. It is unknown who used the WinRAR vulnerability to install the malware, despite the fact that the malware strain has been linked to the selfish Evilnum organization.