WinRAR spoofing vulnerability being exploited in malware campaign

A WinRAR vulnerability is being taken advantage of in a malware campaign targeting organizations.
A WinRAR vulnerability is being taken advantage of in a malware campaign targeting organizations.

A WinRAR vulnerability recently discovered by an Israeli researcher is being exploited in a malware campaign that seems to be targeting government and international organizations, as well as Fortune Global 500 companies, according to cyber intelligence company IntelCrawler. 

WinRAR is a popular software that essentially compresses and decompresses ZIP files.

In a Sunday post, Danor Cohen, an Israeli security researcher, wrote about a vulnerability that allows an individual to create a ZIP file that appears to contain one thing when compressed, but actually houses something different altogether.

From an attacker's standpoint, they can effectively compress a trojan, or some other malware, with WinRAR and make it seem like the created ZIP file contains an image, or something else that is harmless. The attacker then waits for someone to click on the file, which is actually an executable, and the target is compromised.

Cohen observed the vulnerability – which he called WinRAR file extension spoofing – on WinRAR version 4.20, but IntelCrawler researchers wrote in a Wednesday post that it can be exploited on all versions of WinRAR, including version 5.1.

The exploit is made possible when WinRAR compresses a file and creates new properties, including an extra ‘file name' input. By altering one of the ‘file name' inputs, the ZIP will say it contains something different from what is actually inside.

IntelCrawler has observed attackers exploiting this WinRAR vulnerability in a “cyber espionage campaign” that seems to be targeting aerospace corporations, military subcontractors, embassies, and companies from the Fortune Global 500 list, according to the research, which adds the campaign began on March 24.

In one sample of a spam email obtained by IntelCrawler, the attackers attached the password protected, malicious ZIP file – named ‘' – and included the password for the file in the body of the email, which was said to be from European Council Legal Affairs.

Page 1 of 2
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters