Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor (Feb 25, 2019)
Security researchers have observed a malspam campaign exploiting a 19 year old vulnerability, registered as “CVE-2018-20250,” located in the “WinRAR UNACEV2.DLL” library to install a backdoor. This observation comes one week after Check Point researchers disclosed their finding of the vulnerability. The vulnerability can be exploited by a threat actor by creating a custom ACE archive that extracts a file to the Windows Startup folder when that custom archive is extracted. This process would grant an executable persistence on a machine and would launch as soon as an individual logs in to Windows. The malware was found to download various files, one of which was found to be the “Cobalt Strike Beacon DLL” which is a penetration testing tool. Approximately 500 million users are believed to have WinRAR installed on their machines, which represents a tremendous target pool for threat actors.
Recommendation: Publicly discussed vulnerabilities will be exploited by threat actors soon after such information is available, and the large user base for WinRAR will increase the likelihood that different malware families will also try to exploit this vulnerability. Windows users should update their WinRAR to the latest version as soon as possible that can be found here: “https://www.win-rar.com/latestnews.html?&L=0”
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.