Malware spam campaign exploits WinRAR flaw to deliver Backdoor

Haythem Elmir
0 1
Read Time2 Minute, 19 Second

Experts discovered a malspam campaign that is distributing a malicious RAR archive that could exploit the WinRAR flaw to install deliver malware on a computer.

A few days ago, security experts at CheckPoint software have disclosed a critical 19-year-old vulnerability in the WinRAR that could be exploited by attackers to gain full control over a target computer.

Over 500 million users worldwide use the popular software and are potentially affected by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue a third-party library, called UNACEV2.DLL, that could be exploited to execute arbitrary code by using a specially-crafted file archive.

winrar

The worst aspect of the story is that WinRAR development team had lost the source code of the UNACEV2.dll library in 2005. The way to approach the problem was drastic, the team stopped using the UNACEV2.dll and released WINRar version 5.70 beta 1 that doesn’t support the ACE format.

Now researchers at the 360 Threat Intelligence Center have discovered a malspam campaign that is distributing a malicious RAR archive that could exploit the flaw to install deliver malware on a computer.

An attacker leveraging the path traversal vulnerability could extract compressed files to a folder of their choice rather than the folder chosen by the user. Dropping a malicious code into Windows Startup folder it would automatically run on the next reboot.

Experts at the 360 Threat Intelligence Center discovered an email that was distributing a specially-crafted RAR archive that when decompressed will infect the system with a backdoor.

It is the first case of malware distributed leveraging the recently discovered flaw in WinRAR, the malicious code is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.

Experts at BleepingComputer analyzed the specially-crafted WinRAR archive and discovered that it attempts to extract the malicious code to the
user’s Startup folder.

WinRAR exploit
Source BleepingComputer.com

Of course, if UAC is running, the attack fails because of the lack of permissions to write in the specific folder, but if the UAC is disabled or WinRAR is running with admin privileges it will drop the backdoor into the following folder:

The malware will connect to http://138[.]204[.]171[.]108/ to download additional tools, including a Cobalt Strike Beacon DLL that allows attackers to establish a backdoor on the infected system and use it as an entry point in the network.

Don’t waste your time, install this new version of the software and do not open compressed archives with WINRAR that were received from unknown sources.

Source: https://securityaffairs.co/wordpress/81669/hacking/winrar-exploit-malspam.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

CVE-2019-9019 affects British Airways Entertainment System on Boeing 777-36N(ER)

The British Airways Entertainment System, as installed on Boeing 777-36N(ER) and possibly other aircraft, is affected by a privilege escalation issue tracked as CVE-2019-9019. Experts discovered a critical vulnerability in the British Airways Entertainment System. The flaw is a privilege escalation issue that resides in the component USB Handler, an attacker could exploit […]