A code execution vulnerability in WinRAR generated over a hundred distinct exploits in the first week since its disclosure, and the number of exploits keeps on swelling.
The hackers’ interest was probably piqued by the 500 million user base of the file-compression software and that the flaw (CVE-2018-20250) was present on all its versions released over the past 19 years. Furthermore, the reward would be full control over a victim’s system.
McAfee researcher Craig Schmugar reported on Thursday in one recent attack they observed the hackers enticed victims with a bootlegged copy of Ariana Grande’s album “Thank U, Next.”
The music files would be delivered in an archive file named “Ariana_Grande-thank_u,_next(2019)_.rar.” Using a vulnerable version of WinRAR to extract the files, a malicious payload is added to the Windows Startup folder.
The researcher says that most of the targets observed initially were residents of the United States. The company identified more than 100 exploits the week following the vulnerability disclosure, with the number being on the rise.
“User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware is run,” Schmugar explains.
Exploits emerge two days after bug disclosure
Security researchers from 360 Threat Intelligence Center discovered exploits for the WinRAR used in the wild on February 20, two days after its public disclosure. They were used in phishing attacks that lured with archived pictures or documents.
More recently the Chinese researchers noticed a campaign using documents relating to the United Nations Human Rights to lure victims in the Middle East. The payload was a remote access tool (RAT) currently detected by at least 28 antivirus engines.
WinRAR exploit (#CVE-2018-20250) sample (united nations .rar) seems targeting the Middle East. Embedded with bait documents relating to the United Nations Human Rights and the #UN in Arabic, it finally downloads and executes #Revenge RAT.https://t.co/WJ4oJ1UxAz pic.twitter.com/fgHYSD4Mk5
— 360 Threat Intelligence Center (@360TIC) March 12, 2019
CVE-2018-20250 was discovered by Nadav Grossman from Check Point using WinAFL fuzzer. It is an ACE path traversal logical bug in the library ‘unacev2.dll’ added to WinRAR to extract the old, and now rarely used ACE archive format.
The library code remained unchanged since 2005. Its source code was lost in the meantime, so the maintainers of WinRAR could no longer fix the vulnerable part. Because of this, the solution was to remove support for ACE archives in the first beta of WinRAR 5.70.
However, users can still enjoy ACE support in WinRAR by applying a micropatch specifically created address this issue. The solution is available via the 0Patch platform from ACROS Security.
WinRAR users are advised to use either solution to immunize the program against current exploitation methods.