WinRAR spoofing vulnerability being exploited in malware campaign

Share this article:
WinRAR spoofing vulnerability being exploited in malware campaign
A WinRAR vulnerability is being taken advantage of in a malware campaign targeting organizations.

A WinRAR vulnerability recently discovered by an Israeli researcher is being exploited in a malware campaign that seems to be targeting government and international organizations, as well as Fortune Global 500 companies, according to cyber intelligence company IntelCrawler. 

WinRAR is a popular software that essentially compresses and decompresses ZIP files.

In a Sunday post, Danor Cohen, an Israeli security researcher, wrote about a vulnerability that allows an individual to create a ZIP file that appears to contain one thing when compressed, but actually houses something different altogether.

From an attacker's standpoint, they can effectively compress a trojan, or some other malware, with WinRAR and make it seem like the created ZIP file contains an image, or something else that is harmless. The attacker then waits for someone to click on the file, which is actually an executable, and the target is compromised.

Cohen observed the vulnerability – which he called WinRAR file extension spoofing – on WinRAR version 4.20, but IntelCrawler researchers wrote in a Wednesday post that it can be exploited on all versions of WinRAR, including version 5.1.

The exploit is made possible when WinRAR compresses a file and creates new properties, including an extra ‘file name' input. By altering one of the ‘file name' inputs, the ZIP will say it contains something different from what is actually inside.

IntelCrawler has observed attackers exploiting this WinRAR vulnerability in a “cyber espionage campaign” that seems to be targeting aerospace corporations, military subcontractors, embassies, and companies from the Fortune Global 500 list, according to the research, which adds the campaign began on March 24.

In one sample of a spam email obtained by IntelCrawler, the attackers attached the password protected, malicious ZIP file – named ‘' – and included the password for the file in the body of the email, which was said to be from European Council Legal Affairs.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

Incapsula mitigates multi-vector DDoS attack lasting longer than a month

Incapsula mitigates multi-vector DDoS attack lasting longer than ...

Incapsula's scrubbing servers were able to filter out more than 50 petabits of malicious DDoS traffic aimed at a video game company for longer than a month.

UPS announces breach impacting 51 U.S. locations

The shipping and printing provider said malware has been present on some stores' computer systems since mid-January.

'Machete' espionage campaign targets orgs in Venezuela, Ecuador

The campaign targets Spanish speaking victims, which also appears to be the native language of attackers.