According to FireEye, a number of new campaigns have sprung up utilizing the vulnerability, attacking the Israeli Military, installing VBS backdoors, and deploying malware. “CVE-2018-20250[…]enables attackers to specify arbitrary destinations during file extraction of ‘ACE’ formatted files, regardless of user input,” explains FireEye. “Attackers can easily achieve persistence and code execution by creating malicious archives that extract files to sensitive locations, like the Windows ‘Startup’ Start Menu folder.” The first campaign disguises itself as an educational accreditation council. When users extract a file named Scan_Letter_of_Approval.rar, a VBScript file is created. After being transferred to the startup folder, it opens a backdoor in the system. Meanwhile, an attack on the Israeli military industry is disguised as Sys-Aid documentation. In then deploys payload ekrnview.exe to the startup folder. The third attack method was found in Ukraine, a file called zakon.rar used to instigate the Empire backdoor. Finally, a .rar of decoy credit card dumps installs a RAT and password stealers on the user’s system. This one contains a number of different payloads that are detectable by VirusTotal.
Manual Update Required
As you can tell, attackers are having a field day with this exploit, and there’s a good reason. Unlike other software, WinRAR requires manual updates. To advance the version, you must download the latest copy from the official site. As a result, many users have outdated copies of the software and are a prime target for the exploit. Both FireEye and Kaspersky recommend users update to version 5.70 or higher. As always, you should never open archives from unknown senders. You can check your WinRAR version by clicking ‘Help>About WinRAR’ in your app.
