A critical 19-year-old WinRAR vulnerability disclosed last week has now been spotted actively being exploited in a spam campaign spreading malware.
The campaign, discovered by researchers with 360 Threat Intelligence Center, takes advantage of a path-traversal WinRAR vulnerability, which could allow bad actors to remotely execute malicious code on victims’ machines simply by persuading them to open a file.
Researchers with 350 Threat Intelligence Center on Monday said that the campaign is “possibly the first malware delivered through mail to exploit WinRAR vulnerability,” they said in a Tweet. “The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.”
Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy
IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D— RedDrip Team (@RedDrip7) February 25, 2019
WinRAR is a popular file-archiving utility for Windows, which can create and allow viewing of archives in Roshal Archive Compressed (RAR) or ZIP file formats, and unpack numerous archive file formats. The flaw disclosed last week was fixed in January, but with WinRAR’s enormous database of 500 million users, there’s no guarantee that everyone has updated the service.
The malspam emails feature an archive, which in turn contains a malicious .exe file called CMSTray.exe: “CMSTray.exe is encapsulated inside the malicious archive rather than downloaded from remote,” researchers said on Twitter.
When a victim opens the archive distributed by the attackers, using the WinRAR data file compression tool, the malware then drops CMSTray.exe in their Startup folder (C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.).
When the machine then starts up again, the malicious .exe file infects the system with malware. There is a caveat, said researchers – the victim must have User Account Control (UAC) in WinRAR disabled in order for it to work.
The flaw (CVE-2018-20250), while 19 years old, was only last week disclosed by Check Point researchers.
Researchers specifically found a path-traversal vulnerability in unacev2.dll, a third-party dynamic link library in WinRAR used for parsing ACE (a data compression archive file format) archives. A path-traversal attack allows attackers to access directories that they should not be accessing, like config files or other files containing server data that is not intended for public.
When taking a closer look at unacev2.dll, researchers found that “it’s an old dated dll compiled in 2006 without a protection mechanism. In the end, it turned out that we didn’t even need to bypass them,” said Grossman.
Due to the lack of protections and support for unacev2.dll, researchers were able to easily rename an ACE file and give it a RAR extension within unacev2.dll. When opened by WinRAR, the fake ACE file containing a malicious program is extracted to the system’s startup folder – so the program would automatically begin running when the system starts.
Ultimately, if a bad actor used spear-phishing tactics to send an unknowing victim a disguised ACE file, and the victim opened the file in WinRAR, the file would automatically extract in the victim’s startup folder and malware could then be quickly planted on the system.
A WinRAR spokesperson told Threatpost: “We have removed support for the ACE file format from WinRAR in the new Beta version 5.70.”
Researchers urged WinRAR users to update as soon as possible to the newest version of the software, 5.70 beta 1.