Malspam Exploits a WinRAR Security Hole

Posted on by

Last week, researchers unveiled a 19 year old bug in an ancient ACE archive decompresser that, up until recently, shipped with modern builds of WinRAR. WinRAR’s own website suggests that the software has a userbase of over 500 million, and while the latest beta versions of the software have removed the vulnerable .dll file, Bleeping Computer reports that researchers have already discovered a campaign to exploit the millions of unpatched software instances in the wild. The 360 Threat Intelligence Center says the “Malspam” campaign distributes malicious archives though email, but Bleeping Computer’s own testing reveals that it only works if UAC is disabled, or if WinRAR is run as an administrator.



On the other hand, if UAC is disabled or WinRAR is run with administrator privileges it will install the malware to C:ProgramDataMicrosoftWindowsStart MenuProgramsStartupCMSTray.exe… Once launched, the malware will connect to http://138.204.171.108/ and download various files, including a Cobalt Strike Beacon DLL. Cobalt Strike Beacon is a penetration testing tool that is also used by criminals to gain remote access to a victim’s computer… As we expect to see more malware attempt to exploit this vulnerability, whether it be through malspam or other methods, it is important that you upgrade to the latest version of WinRAR. If you are unable to upgrade for some reason, then you can use 0Patch’s WinRAR micropatch to address this specific WinRAR bug. This micropatch will fix the vulnerability in all 32-bit and 64-bit versions of WinRAR versions using the UNACEV2.DLL since 2005.

Extracting the exploit to ProgramData presumably allows it to run as an administrator without any kind of UAC prompt, but Windows also has a startup folder at “%appdata%/microsoft/windows/start menu/programs/startup” that (to my knowledge) doesn’t require admin rights to access. In addition to running up-to-date version of WinRAR (or alternatives like 7zip), occasionally checking either of those startup directories for files that shouldn’t be there is probably a good idea.

Discussion

Source: [H]ardOCP – Malspam Exploits a WinRAR Security Hole