Malware spam campaign exploits WinRAR flaw to deliver Backdoor

Experts discovered a malspam campaign that is distributing a malicious RAR archive that could exploit the WinRAR flaw to install deliver malware on a computer.

A few days ago, security experts at CheckPoint software have disclosed a critical 19-year-old vulnerability in the WinRAR that could be exploited by attackers to gain full control over a target computer.

Over 500 million users worldwide use the popular software and are potentially affected by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue a third-party library, called UNACEV2.DLL, that could be exploited to execute arbitrary code by using a specially-crafted file archive.

The worst aspect of the story is that WinRAR development team had lost the source code of the UNACEV2.dll library in 2005. The way to approach the problem was drastic, the team stopped using the UNACEV2.dll and released WINRar version 5.70 beta 1 that doesn’t support the ACE format.

Now researchers at the 360 Threat Intelligence Center have discovered a malspam campaign that is distributing a malicious RAR archive that could exploit the flaw to install deliver malware on a computer.

An attacker leveraging the path traversal vulnerability could extract compressed files to a folder of their choice rather than the folder chosen by the user. Dropping a malicious code into Windows Startup folder it would automatically run on the next reboot.

Experts at the 360 Threat Intelligence Center discovered an email that was distributing a specially-crafted RAR archive that when decompressed will infect the system with a backdoor.

It is the first case of malware distributed leveraging the recently discovered flaw in WinRAR, the malicious code is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.

Experts at BleepingComputer analyzed the specially-crafted WinRAR archive and discovered that it attempts to extract the malicious code to the
user’s Startup folder.


Of course, if UAC is running, the attack fails because of the lack of permissions to write in the specific folder, but if the UAC is disabled or WinRAR is running with admin privileges it will drop the backdoor into the following folder:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.

“Now that CMSTray.exe is extracted to the user’s Startup folder, on the next login the executable will be launched. Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.” reported BleepingComputer.

The malware will connect to http://138[.]204[.]171[.]108/ to download additional tools, including a Cobalt Strike Beacon DLL that allows attackers to establish a backdoor on the infected system and use it as an entry point in the network.

Don’t waste your time, install this new version of the software and do not open compressed archives with WINRAR that were received from unknown sources.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2021

We are in our 9th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.