Hackers Begin Exploiting WinRAR ACE Vulnerability To Install Backdoor

  • 181
  •  
  •  
  • 1
  •  
  •  
  •  
    182
    Shares

A few days ago, we reported a WinRAR ACE vulnerability that existed for 19 years. While the vendors got rid of the vulnerable DLL in the latest version of WinRAR, this certainly does not suffice to protect the 500 million vulnerable customers. Perhaps, the bad actors have made this evident as they already started exploiting the flaw for malware spam. Allegedly, criminal hackers have been exploiting this WinRAR vulnerability to install a backdoor.

WinRAR ACE Vulnerability Exploited For MalSpam

Days after the WinRAR ACE vulnerability became known, researchers at 360 Threat Intelligence Center discovered its active exploitation.

In their recent tweet, 360 Threat Intelligence Center disclosed their findings.

Following the tweet, Bleeping Computer delved into the details to second 360 CIT’s discovery.

Regarding the exploit strategy, both the sources confirmed that the malware executes in exactly the way Check Point described earlier. The malicious RAR file, upon reaching the victim’s device, extracts the payload to the Startup folder if UAC is turned off. It will fail to extract the payload to the Startup if the UAC is on. In this case, the victim will see an error message from WinRAR.

After successful extraction of the payload CMSTray.exe, the malware is all set for execution the next time the infected device starts.

Bleeping Computers has also explained the next steps of the attack. As reported, the CMSTray.exe will then trigger the execution of wbssrv.exe – the malware that prompts all future actions.

“Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.”

launching malware exploiting WinRAR vulnerability
Launching %Temp%\wbssrv.exe (Source: Bleeping Computer)

Upon execution, the malware downloads the malicious files including Cobalt Strike Beacon DLL (a pentesting tool) by connecting to [http]://138.204.171.108/. The Cobalt Strike Beacon will facilitate the attacker in gaining remote access to the target device. They can then execute any arbitrary commands on the victim’s device, in addition to spreading the malware further.

What Should You Do?

Upgrade your WinRAR right away to avoid such MalSpam attacks. All you have to do is to uninstall the existing version of WinRAR on your device and install the patched version 5.7 beta 1 or later. If that’s something you cannot do, then this micropatch by 0patch might help you in mitigating the vulnerability (CVE-2018-20250).

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!