A few days ago, we reported a WinRAR ACE vulnerability that existed for 19 years. While the vendors got rid of the vulnerable DLL in the latest version of WinRAR, this certainly does not suffice to protect the 500 million vulnerable customers. Perhaps, the bad actors have made this evident as they already started exploiting the flaw for malware spam. Allegedly, criminal hackers have been exploiting this WinRAR vulnerability to install a backdoor.
WinRAR ACE Vulnerability Exploited For MalSpam
Days after the WinRAR ACE vulnerability became known, researchers at 360 Threat Intelligence Center discovered its active exploitation.
In their recent tweet, 360 Threat Intelligence Center disclosed their findings.
Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy
— RedDrip Team (@RedDrip7) February 25, 2019
Following the tweet, Bleeping Computer delved into the details to second 360 CIT’s discovery.
Regarding the exploit strategy, both the sources confirmed that the malware executes in exactly the way Check Point described earlier. The malicious RAR file, upon reaching the victim’s device, extracts the payload to the Startup folder if UAC is turned off. It will fail to extract the payload to the Startup if the UAC is on. In this case, the victim will see an error message from WinRAR.
After successful extraction of the payload CMSTray.exe, the malware is all set for execution the next time the infected device starts.
Bleeping Computers has also explained the next steps of the attack. As reported, the CMSTray.exe will then trigger the execution of wbssrv.exe – the malware that prompts all future actions.
“Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.”
Upon execution, the malware downloads the malicious files including Cobalt Strike Beacon DLL (a pentesting tool) by connecting to [http]://188.8.131.52/. The Cobalt Strike Beacon will facilitate the attacker in gaining remote access to the target device. They can then execute any arbitrary commands on the victim’s device, in addition to spreading the malware further.
What Should You Do?
Upgrade your WinRAR right away to avoid such MalSpam attacks. All you have to do is to uninstall the existing version of WinRAR on your device and install the patched version 5.7 beta 1 or later. If that’s something you cannot do, then this micropatch by 0patch might help you in mitigating the vulnerability (CVE-2018-20250).