A vulnerability that impacts all the WinRAR versions released in the last 19 years has become the go-to exploit for many malware distributors over the course of the last month.
Several campaigns have been detected so far during which cyber-criminal groups, and possibly some nation-state hackers, tried to exploit the WinRAR vulnerability to plant malware on users' devices.
The vulnerability was publicly disclosed on February 20 by security researchers from Israli cyber-security firm Check Point. An attacker can create booby-trapped archives that when unpacked with the WinRAR app would place malicious files anywhere on users' systems.
Check Point argued that attackers would use this vulnerability (tracked as CVE-2018-20250) to plant malware in the Windows Startup folder, where it would automatically execute after each system reboot.
Their hunch was correct and within a week, hacker groups began exploiting the vulnerability to plant backdoor trojans on users computers.
Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy
— 360 Threat Intelligence Center (@360TIC) February 25, 2019
IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D
Spam campaigns continued after this first campaign, and diversified to spread different malware payloads, using different lures, ranging from technical documents to adult images.
Warning! Upgrades in the #WinRAR vulnerability (#CVE-2018-20250) exploit, use social engineering to lure victims with embedded image files and encrypt the malicious ACE archive before delivering.
— 360 Threat Intelligence Center (@360TIC) February 27, 2019
Analysis report: https://t.co/LEcRPqP0cT
Chinese version: https://t.co/wbDCdZl1YV pic.twitter.com/8cjieD1xVJ
Malicious archives that tried to exploit the WinRAR flaw were also sent to South Korean government agencies a day before the second Donald Trump and Kim Jong-un summit that took place at the end February in Vietnam.
While none of the security researchers with whom ZDNet spoke at the time confirmed any links to North Korean or Russian state hacking groups, the timing and targeting were consistent with nation-state hacking operations, they said.
But this wasn't the only event where politically-themed spear-phishing campaigns were seen using the WinRAR exploit. There were two others.
The first used a theme about an Ukrainian law to lure victims into unzipping a malicious archive exploiting the WinRAR flaw.
#WinRAR exploit (#CVE-2018-20250) sample seems targeting #Ukraine with a Ukrainian law related PDF document embedded. It drops mssconf.bat to download and execute additional PowerShell scripts.
— 360 Threat Intelligence Center (@360TIC) February 28, 2019
Malicious URL: http://31.148.220.53:80/login/process.phphttps://t.co/yGJsS4MVTy pic.twitter.com/M6bf6TvpCr
And then there was a second campaign that used a lure about United Nations and human rights to target users in the Middle East.
WinRAR exploit (#CVE-2018-20250) sample (united nations .rar) seems targeting the Middle East. Embedded with bait documents relating to the United Nations Human Rights and the #UN in Arabic, it finally downloads and executes #Revenge RAT.https://t.co/WJ4oJ1UxAz pic.twitter.com/fgHYSD4Mk5
— 360 Threat Intelligence Center (@360TIC) March 12, 2019
Both of these are highly targeted attacks, and most likely the work of intelligence services engaged in cyber-espionage.
But while nation-states seems to have hopped on the WinRAR exploitation train, this doesn't mean that regular cyber-crime gangs have stopped using the same vulnerability for distributing mundane malware strains.
In a report published yesterday, US cyber-security firm McAfee described the latest of these campaigns, one using an Ariana Grande lure to trick users into opening booby-trapped archives that plant malware on their systems.
All in all, McAfee experts say they've seen "100 unique exploits and counting" that used the WinRAR vulnerability to infect users.
In the grand scheme of things, these attacks are bound to continue because WinRAR is an ideal attack surface --the app has more than 500 million users (according to its vendor), most of which are most likely running an out-of-date version that can be exploited.
WinRAR devs released WinRAR 5.70 Beta 1 on January 28 to address this vulnerability, however, users have to manually visit the WinRAR site, download and then install it. The vast majority of users are most likely unaware that this vulnerability even exists, let alone that they need to install a critical security update.
Cybercrime and malware, 2019 predictions
Related malware and cybercrime coverage:
- Malicious Counter-Strike 1.6 servers used zero-days to infect users with malware
- Almost 150 million users impacted by new SimBad Android adware
- WordPress shopping sites under attack
- Chinese hacking group backdoors products from three Asian gaming companies
- Egypt government used Gmail third-party apps to phish activists
- Pirate Bay malware buries nuisance program bundles in a single click
- How the United Nations helps fight global cybercrime TechRepublic
- Google blocked 2.3 billion bad ads in 2018 CNET