Pierluigi Paganini March 28, 2019

The recently patched vulnerability affecting the popular archiver utility WinRAR has been exploited to deliver new malware to targeted users.

A recently patched vulnerability affecting the popular archiver utility WinRAR it becoming a commodity in the cybercrime underground, experts reported it has been exploited to deliver new malware in targeted attacks.

The vulnerability, tracked as CVE-2018-20250, was discovered by experts at Check Point in February, it could allow an attacker to gain control of the target system.

Over 500 million users worldwide use the popular software and are potentially impacted by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.

The issue affects a third-party library, called UNACEV2.DLL that is used by WINRAR, it resides in the way an old third-party library, called UNACEV2.DLL, handles the extraction of files compressed in ACE data format. The experts pointed out that WinRAR determines the file format by analyzing its content and not the extension, this means that an attacker can change the .ace extension to .rar extension to trick the victims.

The researchers discovered that an attacker leveraging the path traversal vulnerability could extract compressed files to a folder of their choice rather than the folder chosen by the user. Dropping a malicious code into Windows Startup folder it would automatically run on the next reboot.

The WinRAR development team addressed the issue with the release of WinRAR version 5.70 beta 1.

A few days after the disclosure of the flaw, researchers at the 360 Threat Intelligence Center discovered a malspam campaign that was distributing a malicious RAR archive that could exploit the flaw to install deliver malware on a computer.

Later, security experts from McAfee reported that attackers are continuing in exploiting the WinRAR flaw, they identified more than “100 unique exploits and counting” in the first week since the vulnerability was publicly disclosed.

According to Symantec, the vulnerability was also exploited by the Iran-linked cyberespionage group tracked as Elfin and APT33 to target organizations in Saudi Arabia and the United States,

Researchers at FireEye observed four hacking campaigns, including ones that delivered new pieces of malware. This campaign was carried out by threat actors impersonating an educational accreditation council to hit users in the United States. The attackers used decoy documents apparently coming from the Council on Social Work Education (CSWE), a US association representing social work education.

“To avoid user suspicion, the ACE file contains a decoy document, “Letter of Approval.pdf”, which purports to be from CSWE, the Council on Social Work Education as shown in Figure 1. This seems to be copied from CSWE website.” reads the analysis published by FireEye.

When the victims extract the document with WinRAR, a VBS backdoor (winSrvHost.vbs) is dropped in the Windows Startup folder, this is the first time that this malicious code was observed by researchers.

After the system boot, the backdoor gathers some information about the compromised machine and connects the command and control server. The malicious code allows the attackers to download and execute files on the infected machine. In one case experts noticed that the malware was used to deliver the Netwire RAT.

“Interestingly, the backdoor communicates with the command and control (C2) server using the value of the Authorization HTTP header ” continues the analysis.

“It then extracts the base64-encoded data in the Authorization header of the HTTP response from the C2 server and decodes it. The decoded data starts with the instruction code from the C2 server, followed with additional parameters.”

Another campaign monitored by FireEye was aimed at the Israeli military, in this case, threat actors used emails with an ACE archive containing documentation for SysAid, a helpdesk service based in Israel. The decoy files also included a shortcut file named Thumbs.db.lnk that could be exploited by attacker to steal NTLM hashes from the system.

“Upon extraction, WinRAR copies a previously unknown payload we call SappyCache to the Startup folder with the file name ‘ekrnview.exe’. The payload is executed the next time Windows starts up.” continues the analysis.

Another campaign leverages credential dumps and likely stolen credit card dumps as decoy documents to distribute different types of RATs and password stealers, including QuasarRAT, Azorult, Netwire, Razy and Buzy.

The last campaign monitored by FireEye apparently targeted Ukraine and involved the Empire PowerShell backdoor.

“We have seen how various threat actors are abusing the recently disclosed WinRAR vulnerability using customized decoys and payloads, and by using different propagation techniques such as email and URL. Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.” concludes FireEye.

Pierluigi Paganini

(SecurityAffairs – WinRAR, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]