A new strain of ransomware tracked as JNEC.a is spreading through an exploit that triggers the recently discovered vulnerability in WinRAR.

The ransomware was involved in the attacks observed by the Qihoo 360 Threat Intelligence Center in the wild, threat actors used an archive named “vk_4221345.rar” that delivers JNEC . a when its contents are extracted with a vulnerable version of WinRAR.

Warning!!!Possibly the first #ransomware (vk_4221345.rar) spread by #WinRAR exploit (#CVE-2018-20250). The attacker lures victims to decompress the archive through embedding a corrupt and incomplete female picture. It renames files with .Jnec extension.https://t.co/MHNgHw7zAI pic.twitter.com/Tn5SoXht2A — 360 Threat Intelligence Center (@360TIC) March 18, 2019

The vulnerability, tracked as CVE-2018-20250, was discovered by experts at Check Point in February, it could allow an attacker to gain control of the target system.

Over 500 million users worldwide use the popular software and are potentially impacted by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.

The ransomware encrypts data on the victim’s machine and appends the .Jnec extension to the encrypted data asking a ransom 0.05 bitcoins (about $200).

Once the ransomware has encrypted the files on the victim’s computer, it will generate a Gmail address that victims need to create in order to receive the file decryption key once they will pay the ransom.

This way to identify infected machines represents a novelty in the threat landscape, victims must register the Gmail account provided by the ransomware in order to receive the decryption keys.

The JNEC.a ransomware also drops a ransom note (JNEC.README.TXT) on the infected computer to provide instructions on how to make the payment.

JNEC.a is written in .NET, when the archive is decompressed it shows a corrupted image of a girl that triggers an error and shows an incomplete picture, meanwhile the ransomware is already delivered to the computer.

The attackers renamed the malware dropped in the Startup folder as ‘GoogleUpdate.exe’ in the attempt to deceive the victims.

A few days ago, McAfee reported that attackers are continuing in exploiting the WinRAR flaw in the wild, they identified more than “100 unique exploits and counting” in the first week since the vulnerability was publicly disclosed.

The JNEC.a ransomware still has a low detection rate, it was identified as malicious by 31/71 antivirus of the VirusTotal services.

At the moment of writing, 29 antivirus engines detect JNEC.a as threat, according to the popular malware researcher Michael Gillespie a bug in its code makes it impossible to decrypt files even for the developer.

Pierluigi Paganini

( SecurityAffairs – JNEC . a ransomware , hacking )

Share this...

Linkedin Reddit Pinterest

Share On