A recently patched vulnerability affecting the popular archiver utility WinRAR has been increasingly exploited by malicious actors, including to deliver new malware to targeted users.
The security hole, tracked as CVE-2018-20250, impacts a library used by WinRAR for unpacking ACE archives. RARLab has removed the problematic library with the release of WinRAR 5.70 to prevent abuse, but many users have failed to update the application, allowing threat actors to continue launching attacks.
The flaw can be exploited via specially crafted ACE archives to extract a harmless file to the destination folder selected by the user, while also silently extracting a malicious file to a location specified by the attacker. An attacker can achieve arbitrary code execution by extracting malware to the Windows Startup folder, ensuring that it would get executed the next time the operating system boots.
The first attacks exploiting CVE-2018-20250 were observed just days after details of the flaw were made public. McAfee reported seeing over 100 unique exploits in the first week alone, with most targets being located in the U.S.
Other cybersecurity firms have seen attacks launched against Ukraine, the Middle East, and South Korea, and some of these operations have been attributed to advanced persistent threat (APT) actors.
Symantec reported on Wednesday that the WinRAR vulnerability had also been exploited by an Iran-linked cyber espionage group tracked as Elfin and APT33 in an attack aimed at a chemicals organization in Saudi Arabia.
FireEye has also monitored attacks and the company reported this week that it had spotted four campaigns, including ones that delivered new pieces of malware.
One of these operations, likely aimed at users in the United States, involves decoy documents apparently coming from the Council on Social Work Education (CSWE), a national association representing social work education in the U.S.
The hackers copied an accreditation-related document from the CSWE website and sent it to targeted individuals inside an ACE file. When the document is extracted with WinRAR, CVE-2018-20250 is exploited to plant a VBS backdoor (winSrvHost.vbs) in the Windows Startup folder.
Once executed at the next system boot, the backdoor collects some information about the compromised machine and starts communicating with its command and control (C&C) server. The malware allows the attackers to download and execute files on the targeted device. In one instance it was used to deliver the Netwire RAT.
Dileep Kumar Jallepalli, research scientist at FireEye, told SecurityWeek that this VBS backdoor is a new piece of malware.
Another new piece of malware delivered via a WinRAR exploit was spotted in a campaign apparently targeting a company related to the Israeli military. The attackers sent out emails with an ACE archive containing documentation for SysAid, a helpdesk service based in Israel. The decoy files also included a shortcut file named Thumbs.db.lnk that could be used by the attacker to steal NTLM hashes from the system.
In the Startup folder, the attackers extract a new piece of malware that FireEye calls SappyCache. This malware also attempts to download and execute other files, but the C&C server did not respond with any payloads during the company’s analysis.
Another campaign involved archives storing stolen access credentials and payment card data. When the victim extracts these documents, one of several pieces of malware is extracted to their system. The list of payloads used in this operation includes QuasarRAT, Azorult, Netwire, Razy and Buzy, which allow attackers to steal data and take control of compromised systems.
The fourth campaign spotted by FireEye appeared to target Ukraine and it involved a PowerShell backdoor known as Empire. The same attack was previously documented by the 360 Threat Intelligence Center of Chinese cybersecurity firm Qihoo 360.
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Tags: 
