Cybercriminals Have a Heyday with WinRAR Bug in Fresh Campaigns

winrar exploitation backdoor

With new attacks on the Israeli military and social-work educators, exploitation of the 19-year-old flaw shows no signs of slowing down.

A recently discovered vulnerability in the WinRAR file archival utility has been exploited in a slew of new campaigns, including one with a never-before-seen payload. The flurry of activity shows no sign of waning as cybercriminals continue to find success exploiting the bug.

The campaigns take advantage of a path-traversal vulnerability (CVE-2018-20250) in WinRAR, which is used by more than 500 million users around the world. The bug is a long-standing one, present in the code base for 19 years before being uncovered in February.

It “enables attackers to specify arbitrary destinations during file extraction of ‘ACE’ formatted files, regardless of user input,” explained FireEye researchers, in a recent posting. “Attackers can easily achieve persistence and code execution by creating malicious archives that extract files to sensitive locations, like the Windows Startup Start Menu folder.”

Since its disclosure, several campaigns have been seen using the vulnerability. FireEye said that the latest are using customized decoy documents with a variety of payloads that are deployed to the Windows Startup folder.

The flaw’s popularity for exploitation may seem counter-intuitive given that the latest version of WinRAR (5.70) fixes the bug, but WinRAR itself does not contain auto-update features, meaning that many in the existing install base of users are likely running out-of-date, vulnerable versions.

“Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days,” the researchers at FireEye said.

One offensive, observed by the firm, impersonated an education accreditation organization known as the Council on Social Work Education (CSWE). It made use of malicious emails with an ACE file attachment dubbed “Scan_Letter_of_Approval.rar”. Once extracted, it unpacks a file named winSrvHost.vbs in the Startup folder without the user’s consent. The VBScript file was then executed the next time Windows starts up.

Meanwhile, a decoy document was planted in the extraction file, “Letter of Approval.pdf”, with content cribbed from the CSWE website, to avoid raising user suspicions.

The VBS file in the Startup folder meanwhile was executed by wscript.exe when Windows started up, after which it established communication with the command-and-control (C2) server and acts as a backdoor to the system. The malware then sent the victim ID and the computer name to the C2 server, which responded with an order to download a second-stage payload, the Netwire RAT.

A second campaign observed by FireEye was an attack on the Israeli military, in which the attacker sent a spoofed email to the victim with an attached ACE file named “SysAid-Documentation.rar”.

This ACE file unpacked decoy files related to documentation for SysAid, a help-desk service based in Israel, FireEye noted. One of these contained a LNK file that points to an icon remotely hosted on one of the campaign’s C2 servers, which can be used to steal NTLM hashes.

Meanwhile, a previously unknown payload that FireEye dubbed “SappyCache” is copied to the Startup folder with the file name “ekrnview.exe”, which executes the next time that Windows starts up. SappeCache is interesting because it has three different ways to attack to the C2 server and download the second-stage payload. It first decrypts a file to uncover the C2 URLs; if that fails, it next tries to decrypt a resource. If that too is unsuccessful, it will connect using hard-coded URLs.

Though “the malware tries to execute the decrypted payload….during our analysis, the C2 server did not respond with a next-level payload,” FireEye researchers noted in the write-up.

Meanwhile, a fourth attack interestingly used credential and stolen credit-card dumps as decoy documents to distribute different types of RATs and password stealers.

Text files containing stolen email credentials and credit card details acted as decoys, while various payloads, such as a keylogging malware called QuasarRAT and a Buzy sample with password-stealing and standard RAT capabilities, FireEye researchers noted.

While all of these campaigns have in common the placement of the payload – in the Startup folder – an enterprising adversary could make their efforts stealthier over time.

“This vulnerability allows the malicious ACE file to write a payload to any path if WinRAR has sufficient permissions, so although the exploits that we have seen so far chose to write the payload to the Startup folder, a more involved threat actor can come up with a different file path to achieve code execution so that any behavior-based rules looking for WinRAR writing to the startup folder can be bypassed.”

Don’t miss the free replay of our Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with HackerOne and GitHub.”

Vulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s application security engineering manager, join Threatpost editor Tom Spring to discuss what vulnerability types are most common in today’s software, and what kind of impact they would have on organizations if exploited.




Suggested articles