Hackers use popular file compressor to steal cryptocurrencies

A North Korean hacker group is using the popular WinRAR file compression program to steal cryptocurrencies from unsuspecting users.

According to a detailed investigation by the Chinese company Chuangyu 404 Advanced Threat Intelligence team, Konni APT (Advanced Persistent Threat), a group of hackers based in North Korea, is using a vulnerability in WinRAR to carry out attacks on the cryptocurrency industry. .

The person who shared the case was crypto-focused journalist Colin Wu on his social network X (formerly Twitter):

“North Korean hacker group APT Konni exploited the WinRAR vulnerability (CVE-2023-38831) in order to attack the cryptocurrency industry for the first time. When the victim clicks on the compressed HTML file, the malicious payload constructed with the same name in the directory will be executed,” he wrote he.

Hackers target WinRAR users

As the investigation pointed out, Konni hackers are resorting to new techniques, tactics and procedures to target the cryptocurrency industry.

The report pointed out that Konni’s decision to target cryptocurrencies was rare. Furthermore, it highlighted that the crypto and finance sector was often targeted by North Korea’s notorious Lazarus Group. In fact, the Lazarus Group is allegedly responsible for several recent attacks on cryptocurrency exchanges. This includes, for example, the $70 million attack on CoinEx this week.

“As we all know, the North Korean organization APT has previously targeted the cryptocurrency industry. However, North Korea’s attacks on the cryptocurrency/financial industries are often operated by the Lazarus organization. This attack is also relatively rare,” the report says.

The vulnerability in WinRAR allegedly builds an identical directory without the victim’s knowledge. This way, it can access the victim’s assets and embezzle them.

WinRAR later released a patch to fix the problem. However, users are still at risk of not updating the application version.