Researchers observed a new malspam campaign distributing a malicious RAR archive. Researchers noted that this is the first malspam exploiting the WinRAR ACE vulnerability to distribute malware onto victims’ systems.
Why it matters - The 19-year-old WinRAR ACE vulnerability allows a specially crafted ACE archive to extract a file to the Window Startup folder. This allows the executable to gain persistence and launch automatically when the user next logs in to Windows.
The developers of WinRAR removed the DLL and ACE support from the latest version of WinRAR 5.70 beta 1 in order to fix the vulnerability. Unfortunately, this did not resolve the issue.
What's the issue - On February 25, 2019, 360 Threat Intelligence Center tweeted that they have detected a malspam email distributing a RAR archive to infect the victim’s computer with a backdoor.
“Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off,” the tweet read.
What are the findings - Researchers from BleepingComputer downloaded and analyzed the RAR archive sample.
Researchers noted that if users attempt to extract the archive when UAC is running, it will fail to drop the malware in the C:\ProgramData folder due to lack of permissions. This will cause WinRAR to display an error stating ‘Access is denied’ and ‘operation failed’.
On the other hand, when users attempt to extract the archive when UAC is disabled or WinRAR is run with administrator privileges, then it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.
What's the conclusion - Researchers expect more malware attempts to exploit this WinRAR ACE vulnerability, therefore, it is best to upgrade to the latest version of WinRAR. Additionally, this vulnerability can be fixed with 0Patch's WinRAR micropatch.