WinRAR Vulnerability Actively Exploited in the Wild to Install Backdoor

The 19-year old WinRAR vulnerability that was recently identified by Check Point is being exploited in the wild to install a backdoor that allows remote access. An updated version of WinRAR was released in January to correct the flaw, but many users have yet to update to the latest version of the file compression tool.

In January it was estimated that around 500 million individuals worldwide had a vulnerable version of WinRAR installed. With so many potential victims, it is no surprise that hackers have started to exploit the vulnerability.

RARLab explained in its documentation accompanying its January 28, 2019 software update that a flaw had been corrected in the in UNACEV2.DLL library. If the flaw is exploited, a threat actor could create files in arbitrary folders inside or outside a destination folder when unpacking ACE archives. Check Point released a detailed blog post on February 20, 2019, explaining the flaw and how it was discovered.

It took just four days after the Check Point blog post for the first malspam campaign to be detected that was exploiting the flaw to install malicious files.  

UNACEV2.DLL is a third party dynamic link library that is used to unpack ACE archives. The library was discovered not to have any security protections. Check Point researchers were able to exploit a flaw by renaming a RAR file with an ACE extension. Check Point researchers showed how a malicious executable file inside the archive could be extracted to the Startup folder in Windows when the file is unpacked. The file could be copied without the user’s knowledge. When the device is rebooted, the malicious file would run, potentially giving an attacker full control of the device.

Researchers at the 360 Threat Intelligence Center of Qihoo identified a malspam campaign which was exploiting the flaw to create a backdoor in vulnerable devices. The malicious ACE/RAR file contained an executable called CMSTray.exe, which would be sent to the Startup folder when the ACE/RAR file was unpacked. The files was only being detected as malicious by around half of AV engines when details of the campaign were released.

The malicious executable connects to a C2 in Mexico and downloads a penetration testing tool named Cobalt Strike Beacon, which allows the attacker to remotely access an infected device. Since then, further malspam campaigns have been identified that attempt to exploit the vulnerability.

With the WinRAR vulnerability now being actively exploited, it is essential for IT teams to perform scans for all devices with WinRAR installed and update them to version 5.70 as soon as possible.

Author: NetSec Editor