Recently fixed WinRAR bug actively exploited in the wild

Several threat actors are still exploiting a recently patched critical vulnerability in the popular compression software WinRAR.

Several threat actors are actively exploiting a critical remote code execution vulnerability recently addressed in WinRAR.

The exploitation of the flaw in the wild is worrisome because the WinRAR software doesn’t have an auto-update feature, leaving millions of users potentially exposed to cyber attacks.

The vulnerability, tracked as CVE-2018-20250, was discovered by experts at Check Point in February, it could allow an attacker to gain the control of the target system.

Over 500 million users worldwide use the popular software and are potentially impacted by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.

The issue affects a third-party library, called UNACEV2.DLL that is used by WINRAR, it resides in the way an old third-party library, called UNACEV2.DLL, handles the extraction of files compressed in ACE data format. The experts pointed out that WinRAR determines the file format by analyzing its content and not the extension, this means that an attacker can change the .ace extension to .rar extension to trick the victims.

The researchers discovered that an attacker leveraging the path traversal vulnerability could extract compressed files to a folder of their choice rather than the folder chosen by the user. Dropping a malicious code into Windows Startup folder it would automatically run on the next reboot.

The WinRAR development team addressed the issue with the release of WinRAR version 5.70 beta 1.

The following video PoC shows how to gain full control over a targeted system by tricking the victims into opening maliciously crafted compressed archive file using WinRAR.

W A few days after the disclosure of the flaw, researchers at the 360 Threat Intelligence Center discovered a malspamcampaign that was distributing a malicious RAR archive that could exploit the flaw to install deliver malware on a computer.

Now, security experts from McAfee reported that attackers are continuing in exploiting the WinRAR flaw, they identified more than “100 unique exploits and counting” in the first week since the vulnerability was publicly disclosed.

“In the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting, with most of the initial targets residing in the United States at the time of writing.” reads the advisory published by McAfee.

According to the experts, most of the initial targets are located in the United States, in one case attackers attempted to spread the malware through a bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “Ariana_Grande-thank_u,_next(2019)_[320].rar”

The file associated with the fake Ariana Grande’s hit album is currently detected by a limited number of antivirus solutions.

The malicious RAR file (Ariana_Grande-thank_u,_next(2019)_[320].rar) extracts a list of harmless MP3 files to the victim’s download folder along with a malicious executable file to the startup folder that allows infecting the targeted system.

“When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware is run.” continues the analysis.

Experts recommend users to keep their system up to date, install the latest version of WinRAR and avoid opening files from untrusted sources.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase