Logo: WinRAR // Composition: ZDNet
A vulnerability that impacts all the WinRAR versions released in the last 19 years has become the go-to exploit for many malware distributors over the course of the last month.
Several campaigns have been detected so far during which cyber-criminal groups, and possibly some nation-state hackers, tried to exploit the WinRAR vulnerability to plant malware on users’ devices.
The vulnerability was publicly disclosed on February 20 by security researchers from Israli cyber-security firm Check Point. An attacker can create booby-trapped archives that when unpacked with the WinRAR app would place malicious files anywhere on users’ systems.
Check Point argued that attackers would use this vulnerability (tracked as CVE-2018-20250) to plant malware in the Windows Startup folder, where it would automatically execute after each system reboot.
Their hunch was correct and within a week, hacker groups began exploiting the vulnerability to plant backdoor trojans on users computers.
Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy
— 360 Threat Intelligence Center (@360TIC) February 25, 2019
Spam campaigns continued after this first campaign, and diversified to spread different malware payloads, using different lures, ranging from technical documents to adult images.
Malicious archives that tried to exploit the WinRAR flaw were also sent to South Korean government agencies a day before the second Donald Trump and Kim Jong-un summit that took place at the end February in Vietnam.
While none of the security researchers with whom ZDNet spoke at the time confirmed any links to North Korean or Russian state hacking groups, the timing and targeting were consistent with nation-state hacking operations, they said.
But this wasn’t the only event where politically-themed spear-phishing campaigns were seen using the WinRAR exploit. There were two others.
The first used a theme about an Ukrainian law to lure victims into unzipping a malicious archive exploiting the WinRAR flaw.
And then there was a second campaign that used a lure about United Nations and human rights to target users in the Middle East.
Both of these are highly targeted attacks, and most likely the work of intelligence services engaged in cyber-espionage.
But while nation-states seems to have hopped on the WinRAR exploitation train, this doesn’t mean that regular cyber-crime gangs have stopped using the same vulnerability for distributing mundane malware strains.
In a report published yesterday, US cyber-security firm McAfee described the latest of these campaigns, one using an Ariana Grande lure to trick users into opening booby-trapped archives that plant malware on their systems.
All in all, McAfee experts say they’ve seen “100 unique exploits and counting” that used the WinRAR vulnerability to infect users.
In the grand scheme of things, these attacks are bound to continue because WinRAR is an ideal attack surface –the app has more than 500 million users (according to its vendor), most of which are most likely running an out-of-date version that can be exploited.
WinRAR devs released WinRAR 5.70 Beta 1 on January 28 to address this vulnerability, however, users have to manually visit the WinRAR site, download and then install it. The vast majority of users are most likely unaware that this vulnerability even exists, let alone that they need to install a critical security update.