Recently Disclosed WinRAR Vulnerability Being Actively Exploited in Malspam Campaign

It doesn’t take long after the release of a patch for hackers to take advantage, especially when the vulnerability potentially impacts 500 million users. It is therefore not surprising that at least one hacker is taking advantage of a recently disclosed WinRAR vulnerability.

Oftentimes, vulnerabilities are found in certain versions of software, but this vulnerability affects all WinRAR users and dates back 19 years. The WinRAR vulnerability was identified by researchers at Check Point. WinRAR was alerted and confirmed the vulnerability existed, and promptly issued an updated version of the file compression tool with the vulnerability removed. Details of the vulnerability were disclosed in a Check Point blog post on February 20, 2019.

The WinRAR vulnerability in question was present in a third-party DLL file which was included in WinRAR to allow ACE archive files to be uncompressed. The researchers found that by renaming a .rar archive to make it appear that the compressed file was an ACE archive, it was possible to extract a malicious file into the startup folder unbeknown to the user. That file would then run on boot, potentially giving an attacker full control of the device. The malicious file would continue to load on startup until discovered and removed.

All an attacker would need to do to exploit the WinRAR vulnerability is to convince a user to open a specially crafted .rar archive file attached to an email. Compressed files are often used in malspam campaigns to hide malicious executable files. Since .rar and .zip files are commonly used by businesses to send large files via email, they are likely to be recognized and may be opened by end users.

In this case, if the archive contents are extracted, the user would likely be unaware that anything untoward had happened, as the executable is loaded into the startup folder without giving any indication the file has been extracted. Due to the location of extraction, no further actions are required by the user.

In this case, the executable installs a backdoor, although only if the user has User Account Control (UAC) disabled. That said, this is unlikely to be the only campaign exploiting the WinRAR vulnerability. Other threat actors may develop a way to exploit the vulnerability for all users that have yet to update to the latest WinRAR version.

Many users will have WinRAR installed on their computer but will rarely use the program, so may not be aware that there is an update available. It is possible that a large percentage of users with the program installed have yet to update to the latest version and are vulnerable to attack.

This campaign illustrates just how important it is to patch promptly. As soon as a patch is released for a popular software program it is only a matter of time before that vulnerability is exploited, even just a few days.

Patching all devices in use in an organization can take time. It is therefore important to make sure that all employees receive security awareness training and are taught email security best practices and how to identify potentially malicious emails.

Unfortunately, social engineering techniques can be highly convincing, and many users may be fooled into opening email attachments, especially when the attacker spoofs the sender’s email address and the email appears to come from a known individual. It is therefore essential to have an advanced spam filtering solution in place that is capable of detecting malicious attachments at source, including malicious files hidden inside compressed files, and stop the messages from being delivered to inboxes.