WinRAR spoofing vulnerability being exploited in malware campaign

Share this article:
WinRAR spoofing vulnerability being exploited in malware campaign
A WinRAR vulnerability is being taken advantage of in a malware campaign targeting organizations.

A WinRAR vulnerability recently discovered by an Israeli researcher is being exploited in a malware campaign that seems to be targeting government and international organizations, as well as Fortune Global 500 companies, according to cyber intelligence company IntelCrawler. 

WinRAR is a popular software that essentially compresses and decompresses ZIP files.

In a Sunday post, Danor Cohen, an Israeli security researcher, wrote about a vulnerability that allows an individual to create a ZIP file that appears to contain one thing when compressed, but actually houses something different altogether.

From an attacker's standpoint, they can effectively compress a trojan, or some other malware, with WinRAR and make it seem like the created ZIP file contains an image, or something else that is harmless. The attacker then waits for someone to click on the file, which is actually an executable, and the target is compromised.

Cohen observed the vulnerability – which he called WinRAR file extension spoofing – on WinRAR version 4.20, but IntelCrawler researchers wrote in a Wednesday post that it can be exploited on all versions of WinRAR, including version 5.1.

The exploit is made possible when WinRAR compresses a file and creates new properties, including an extra ‘file name' input. By altering one of the ‘file name' inputs, the ZIP will say it contains something different from what is actually inside.

IntelCrawler has observed attackers exploiting this WinRAR vulnerability in a “cyber espionage campaign” that seems to be targeting aerospace corporations, military subcontractors, embassies, and companies from the Fortune Global 500 list, according to the research, which adds the campaign began on March 24.

In one sample of a spam email obtained by IntelCrawler, the attackers attached the password protected, malicious ZIP file – named ‘FAX.zip' – and included the password for the file in the body of the email, which was said to be from European Council Legal Affairs.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.