WinRAR Vulnerability

WinRAR users need to watch out. Hackers are starting to exploit a newly disclosed bug in the file-archiving tool to secretly install malware on Windows PCs.

Chinese security firm Qihoo 360 has uncovered several file archive samples that exploit the WinRAR vulnerability to deliver malware to a victim's computer. One of the attacks was sent over email.

 

The first sample was detected only two days after the WinRAR bug was publicly disclosed by a separate security firm, Check Point. The bug is particularly problematic because WinRAR claims to have over 500 million users. A hacker can exploit the vulnerability to craft seemingly benign RAR archive files that are actually malicious.

According to Qihoo 360's research division, one of the samples it uncovered is a file archive containing pictures of attractive women. "In order to trigger the vulnerability, attackers put inside lots of image files and lure the victim to decompress the archive," the researchers said in their report.

 

WinRAR Vulnerability 2

 

However, the archive itself has secretly been rigged to exploit the WinRAR bug, which unpacks a file archive to a new destination. In this case, when the archive is decompressed, it'll covertly deliver a malware executable to the PC's Startup Folder. The next time the victim restarts their PC, the malware will run on startup and create a hidden backdoor that can let the hacker take over their computer and install other forms of malware, the researchers warned.

360 Threat Intelligence Center@360TIC
 

Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off. https://www. virustotal.com/#/file/7871204f2832681c8ead96c9d509cd5874ed38bcfc6629cbc45472b9f388e09c/detection 

IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443

192 people are talking about this
 
 
 

Qihoo 360 also uncovered another sample that appears to target users based in the Middle East. The sample is a file archive that contains a PDF about a job opportunity in Saudi Arabia. Decompressing the file, however, will deliver a Powershell-based backdoor to the PC's Startup Folder.

The developers of WinRAR patched the vulnerability starting with a beta release last month. However, it'll be up to users to actually download and install it. The latest WinRAR release, 5.70, rolled out yesterday and can be found here.

If your PC does accidentally decompress a rigged archive file, antivirus softwaremight be able to detect it. Qihoo 360 uploaded one of the uncovered samples to VirusTotal, which shows that 24 out of 56 antivirus engines, including Microsoft's, detected the file as malicious.

UPDATE 2/28/19: Qihoo 360, Check Point and other security researchers have found more rigged archive files designed to exploit the vulnerability. The new sample found by Qihoo 360 appears to be targeting Ukrainian users.