A critical vulnerability of the WinRAR file compression utility is actively attacked by a wide range of malicious actors who exploit the code execution flaw to install password and password thieves. other types of malware.
In a campaign, according to a report released by researchers at the security company FireEye, attackers spread files believed to contain stolen data. A file entitled
leaks copy.rar, contains e-mail addresses and passwords that are supposed to have been compromised during a violation. Attackers claim another folder,
cc.rar, contains stolen credit card data. The other files have names, including
zabugor.rar, ZabugorV.rar, Combolist.rar, Nulled2019.rar, and
Hidden files hide useful data from different families of malware. They include a keylogger called QuasarRat and a malicious program containing Chinese language text called Buzy.
The FireEye report identified three other campaigns, namely:
- The person who personifies an educational accreditation body that appears to be using a PDF letter copied to the Council website on social work training as a lure. Once extracted, the RAR file creates a Visual Basic script in the computer's startup folder. The script forces the computer to install a remote access Trojan called Netwire.
- An attack targeting the Israeli military industry that uses luring files linked to SysAid, a Israel-based helpdesk. A malicious load, called SappyCache, will decrypt a file stored in a temporary folder to get the address of a command and control channel. SappyCache will then attempt to download and install a second-stage malware file from the server. The server has never responded during the FireEye scan.
- An attack potentially targeting only one person in Ukraine who uses a so-called PDF message from the country's former president, Viktor Yanukovych. The exploit places a batch file in the startup folder that, once executed, installs a payload called Empire.
FireEye is not the only company to have seen such feats. A separate report from security firm Symantec said a spy hacker known as Elfin and APT33 had been spotted exploiting the WinRAR vulnerability against a target of the chemical industry in Saudi Arabia.
The attackers sent a phishing e-mail to at least two employees of the targeted company. The email included a duplicate file
JobDetails.rar. If it is extracted on a computer using a vulnerable version of WinRAR, the attack could install any file chosen by the attackers. Prior to the attack, Symantec updated its software to block exploits. The protection prevented the attack from working against the targeted company.
Adam Meyers, vice president of intelligence at security firm CrowdStrike, told Ars:
CrowdStrike follows the activity of Elfin / APT-33 with an alleged link with the Islamic Republic of Iran under the name of REFINED KITTEN. This actor is involved in spying operations mainly via spear phishing efforts since at least 2013. We can confirm that we have recently observed them deploying a malicious program called PoshC2 targeting the Kingdom of Saudi Arabia. Arabia with the help of a job-themed lure and recently disclosed CVE. Vulnerability 2018-20250.
It is interesting to note that the Symantec report indicated that an Elfin attack on a US-based organization last February had downloaded WinRAR on a compromised machine. Elfin downloaded and used WinRAR in its attempts to exfiltrate data after compromise, Sylvester Segura, a threat analyst at Symantec, said in an email.
As Ars has previously reported, the code execution vulnerability in WinRAR has not been reported for more than 19 years. This is the result of an absolute path traversal fault that allows archive files to be extracted into the Windows startup folder (or any other folder chosen by the archive creator) without generating Warning. From there, malicious payloads are automatically executed the next time the computer is restarted. The vulnerability has been fixed in version 5.70. The vulnerability is particularly serious because WinRAR has an installed base of about 500 million people and the software has no way to update itself automatically.
Two weeks ago, a report revealed that attackers exploited this vulnerability to install malware that was difficult to detect on vulnerable computers. New reports indicate that WinRAR attacks are unlikely to subside any time soon.
"We have seen how various threat actors are abusing the newly disclosed WinRAR vulnerability using custom lures and payloads and using different propagation techniques such as email and URLs," wrote the FireEye researcher. Dileep Kumar Jallepalli. "Due to the huge WinRAR client base, the lack of automatic update functionality, and the ease of exploiting this vulnerability, we expect more threat actors to use it in the next few weeks. days."