Incident Response, Malware, TDR, Vulnerability Management

WinRAR spoofing vulnerability being exploited in malware campaign

A WinRAR vulnerability recently discovered by an Israeli researcher is being exploited in a malware campaign that seems to be targeting government and international organizations, as well as Fortune Global 500 companies, according to cyber intelligence company IntelCrawler. 

WinRAR is a popular software that essentially compresses and decompresses ZIP files.

In a Sunday post, Danor Cohen, an Israeli security researcher, wrote about a vulnerability that allows an individual to create a ZIP file that appears to contain one thing when compressed, but actually houses something different altogether.

From an attacker's standpoint, they can effectively compress a trojan, or some other malware, with WinRAR and make it seem like the created ZIP file contains an image, or something else that is harmless. The attacker then waits for someone to click on the file, which is actually an executable, and the target is compromised.

Cohen observed the vulnerability – which he called WinRAR file extension spoofing – on WinRAR version 4.20, but IntelCrawler researchers wrote in a Wednesday post that it can be exploited on all versions of WinRAR, including version 5.1.

The exploit is made possible when WinRAR compresses a file and creates new properties, including an extra ‘file name' input. By altering one of the ‘file name' inputs, the ZIP will say it contains something different from what is actually inside.

IntelCrawler has observed attackers exploiting this WinRAR vulnerability in a “cyber espionage campaign” that seems to be targeting aerospace corporations, military subcontractors, embassies, and companies from the Fortune Global 500 list, according to the research, which adds the campaign began on March 24.

In one sample of a spam email obtained by IntelCrawler, the attackers attached the password protected, malicious ZIP file – named ‘FAX.zip' – and included the password for the file in the body of the email, which was said to be from European Council Legal Affairs.

“In this case [the file] was password protected because [the attackers want] to avoid any anti-virus detection of their malware – to be sure it is 100% [avoided] during the targeted cyber attack,” Dan Clements, president of IntelCrawler, told SCMagazine.com in a Thursday email correspondence.

Researchers analyzed the attachment and determined it was a Zeus-like trojan capable of establishing remote administration channels with the infected victim, and gathering passwords and saved forms, according to the research.

One of the command-and-control servers discovered by IntelCrawler is hosted in Turkey, but Clements said that although an investigation is ongoing, it appears to be a hacked server hiding the true location of the attackers.

“We predict the rise of such kinds of attacks, as it is really a very efficient way to trick the user, and moreover, [the malware] does not need to be password protected,” Clements said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.