Malware spam campaign exploits WinRAR flaw to deliver Backdoor

on February 28, 2019 |

Experts discovered a malspam campaign that is distributing a malicious RAR archive that could exploit the WinRAR flaw to install deliver malware on a computer.

A few days ago, security experts at CheckPoint software have disclosed a critical 19-year-old vulnerability in the WinRAR that could be exploited by attackers to gain full control over a target computer.

Over 500 million users worldwide use the popular software and are potentially affected by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue a third-party library, called UNACEV2.DLL, that could be exploited to execute arbitrary code by using a specially-crafted file archive.

The worst aspect of the story is that WinRAR development team had lost the source code of the UNACEV2.dll library in 2005. The way to approach the problem was drastic, the team stopped using the UNACEV2.dll and released WINRar version 5.70 beta 1 that doesn’t support the ACE format.

Now researchers at the 360 Threat Intelligence Center have discovered a malspam campaign that is distributing a malicious RAR archive that could exploit the flaw to install deliver malware on a computer.

An attacker leveraging the path traversal vulnerability could extract compressed files to a folder of their choice rather than the folder chosen by the user. Dropping a malicious code into Windows Startup folder it would automatically run on the next reboot.

Experts at the 360 Threat Intelligence Center discovered an email that was distributing a specially-crafted RAR archive that when decompressed will infect the system with a backdoor.

It is the first case of malware distributed leveraging the recently discovered flaw in WinRAR, the malicious code is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.

Experts at BleepingComputer analyzed the specially-crafted WinRAR archive and discovered that it attempts to extract the malicious code to the
user’s Startup folder.

Source BleepingComputer.com

Of course, if UAC is running, the attack fails because of the lack of permissions to write in the specific folder, but if the UAC is disabled or WinRAR is running with admin privileges it will drop the backdoor into the following folder:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.

“Now that CMSTray.exe is extracted to the user’s Startup folder, on the next login the executable will be launched. Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.” reported BleepingComputer.

The malware will connect to http://138[.]204[.]171[.]108/ to download additional tools, including a Cobalt Strike Beacon DLL that allows attackers to establish a backdoor on the infected system and use it as an entry point in the network.

Don’t waste your time, install this new version of the software and do not open compressed archives with WINRAR that were received from unknown sources.

Pierluigi Paganini

Show Buttons
Hide Buttons