WinRAR zero-day exploited in cyber espionage campaign

Pierluigi Paganini April 01, 2014

Israeli researcher Danor Cohen has discovered a security flaw in WinRAR, IntelCrawler confirmed was exploited in cyber espionage campaign.

WinRAR is a popular shareware file archiver and data compression utility, as usual these applications are targeted by hackers because their penetration level. Recently the Israeli researcher Danor Cohen has discovered that a security flaw in WinRAR is being exploited in a series of malware-based attacks that are targeting government entities and enterprises all around the world as revealed by cyber intelligence company IntelCrawler.  The vulnerability, named WinRAR file extension spoofing, was analyzed by IntelCrawler experts which confirmed that it can be exploited on all versions of WinRAR.

Cohen analyzed a vulnerability in WinRAR that allows an attacker to create a ZIP file that provided fake information on its content, practically it when compressed it appears to contain something different from its real content. An attacker could compress a malicious code and masquerade it as an innocent ZIP file containing any harmless content.

At this point it is enough that victim click on the file, which is an executable, to be infected.

A similar exploit is excellent to conduct undercover cyber espionage campaigns, in fact IntelCrawler experts have observed that bad actors are exploiting the WinRAR file extension spoofing  in a series of attacks against military subcontractors, embassies, aerospace corporations and companies from the Fortune Global 500 list. InterCrawler experts confirmed that the campaign began on March 24th, one of the archive used in the spam campaign and analyzed by IntelCrawler team was protected by a password reported in the content of the email that pretend to be sent from the European Council Legal Affairs.

Let’s give a look to the WinRAR vulnerability and how Cohen has exploited it.

The attacker exploits extra info in the file format descriptor, like the extra “file name” present into the compressed file.

The extra name is the “File Name” of the file that WINRAR provides when users uncompress the archive, the first name is the name displayed in the GUI.
In the two file names are different WinRAR will show the spoofed file name, while after decompression the user will get the real file name.

“This Behavior can easily turned into a very dangerous security hole. Think about a hacker that publish some informative “txt” file called “ReadMe.txt” or even PDF like “VirusTotal_ScanResults.pdf” or more tempting file like”My Girl Friend new bathing suit.jpg”. Think about an innocent user that will open that file and instead of getting readme file, PDF book or interesting image, he will get a nasty Trojan Horse…” said Cohen.

POC  

  • Create a nasty file that will simply display a dialog box with “PWNED” message.
  • Compress it with WINRAR by choosing “WINZIP” method.
  • Open the ZIP file with an hex editor, change the second name only, this name will be used to deceive victims (MyPrivateImage.jpg) and save it as a ZIP file.
WinRar oday POC 1
  • The WINRAR archive shows you an image file, double click it, the nasty binary file will execute:

WinRar oday POC 2

 

Very interesting what do you think about?

Pierluigi Paganini

(Security Affairs –  WinRAR, cyber espionage)



you might also like

leave a comment