Diverse cybercriminal organizations and lone hackers continue to exploit a recently patched critical code execution flaw in WinRAR, a popular Windows file compression application with 500 million users worldwide.
Why? Due to the absence of an auto-update function, millions of WinRAR users are unfortunately vulnerable to cyber attacks.
The critical vulnerability (CVE-2018-20250) patched by the WinRAR team late last month with the release of WinRAR version 5.70 beta 1 affects all previous versions of WinRAR released over the past 19 years.
For those unaware, the vulnerability is the “Absolute Path Traversal” bug that resides in the old third-party library UNACEV2.DLL of WinRAR and enables attackers to extract a compressed executable file from an ACE archive to one of the Windows Startup folders, where the malicious file would run automatically upon the next reboot.
Therefore, to successfully exploit this vulnerability and take complete control of the affected computers, an attacker only needs to convince users to open a maliciously-crafted compressed archive file with WinRAR.
As soon as the details and proof-of-concept (PoC) exploit code were made public, malicious attackers began exploiting the vulnerability in a malspam email campaign to install malware on the computers of users running the vulnerable version of the software.
Now, security researchers from McAfee have reported discovering more than “100 unique exploits and counting” in the first week following the vulnerability’s public disclosure, with the majority of initial targets residing in the United States.
One recent campaign discovered by the researchers rides on a pirated copy of a hit album by Ariana Grande, which is currently detected as malware by only 11 security products, while 53 antivirus products fail to warn users at the time of writing.
The malicious RAR file (Ariana Grande-thank u, next(2019) [320].rar) detected by McAfee extracts a list of harmless MP3 files to the victim’s download folder but also drops a malicious EXE file to the startup folder, which is intended to infect the victim’s computer with malware.
The researchers explain, “When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder.”
“User Access Control (UAC) is bypassed, so the user is not prompted. When the system restarts, the malware is executed.”
Unfortunately, such campaigns are still active, and the best way to protect yourself is to update your system as soon as possible by installing the most recent version of WinRAR and avoid opening files received from unknown sources.
