Hackers have begun to exploit WinRAR vulnerabilities for spreading malware
Earlier we mentioned that security companies, CheckPoint has found that the components shipped with WinRAR are in vulnerabilities, and attackers can use this vulnerability to completely take over the device. At present, researchers have found that a hacker team has begun to exploit this vulnerability. “The malicious code is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.”
The file format is a more active compressed file archive format 20 years ago. Initially, the .ACE format usage rate was higher than .RAR but was later overtaken by the .RAR format. At the same time, the ACE format is also proprietary, that is, there is no open source or free of charge, etc. If you want to package the ACE format, you can only use the software provided by the developer. However, developers allow other software to call the software library to extract documents in ACE format, ie third-party software can open ACE documents but not modify compression. It is also true that most compression managers have built-in software libraries for ACE-compatible documents, and it is this software library that is discovered by security companies.
Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy
IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D— RedDrip Team (@RedDrip7) February 25, 2019
According to the 360 Threat Intelligence Center, it has intercepted a compressed file carrying malicious code, which is exploiting the ACE software library vulnerability. This malicious file is spread by a phishing email, but it needs to obtain administrator rights when exploiting the exploit, so UAC account control will pop up. As long as the user does not have a point to give them admin rights, the corresponding code will not run. If given permission, the malware setting plan starts the task.
The malware is booted from the next time the user starts the computer and then connects to the attacker’s server to download various infiltration tools and adware. Google VirusTotal online scan shows that some security software can block this virus, but most anti-virus software can not intercept it. To prevent this vulnerability, please use WinRAR 5.7 Beta1 or later.
Via: securityaffairs