Windows 10 News and info | Forum
July 14, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Malspam Exploits WinRAR ACE Vulnerability to Install a Backdoor  (Read 146 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31581

I Do Windows

WWW Email
« on: February 26, 2019, 11:47:16 AM »

Researchers have discovered a malspam campaign that is distributing a malicious RAR archive that may be the first one to exploit the newly discovered WinRAR ACE vulnerability to install malware on a computer.
Last week, Checkpoint disclosed a 19-year-old vulnerability in the WinRAR UNACEV2.DLL library that allows a specially crafted ACE archive to extract a file to the Window Startup folder when it is extracted. This allows the executable to gain persistence and launch automatically when the user next logs in to Windows.

As the developers of WinRAR no longer have access to the source code for the vulnerable UNACEV2.DLL library, instead of fixing the bug, they removed the DLL and ACE support from the latest version of WinRAR 5.70 beta 1.  While this fixes the vulnerability, it also removes all ACE support from WinRAR.

Unfortunately, this does not help the approximately 500 million users who allegedly have WinRAR installed on their computers and that is exactly what malware developers are banking on.

Today, 360 Threat Intelligence Center tweeted that they have discovered an email that was distributing a RAR archive that when extracted will infect a computer with a backdoor.

When BleepingComputer downloaded the sample and examined the RAR archive in a hex editor you can see that the exploit plans on extracting a file to the user's Startup folder.

If UAC is running, when you attempt to extract the archive it will fail to place the malware in the C:\ProgramData folder due to lack of permissions. This will cause WinRAR to display an error stating "Access is denied" and "operation failed" as shown below.

On the other hand, if UAC is disabled or WinRAR is run with administrator privileges it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.

Now that CMSTray.exe is extracted to the user's Startup folder, on the next login the executable will be launched. Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.

Launching %Temp%\wbssrv.exe

Once launched, the malware will connect to and download various files, including a Cobalt Strike Beacon DLL. Cobalt Strike Beacon is a penetration testing tool that is also used by criminals to gain remote access to a victim's computer.

Downloading Cobalt Strike Beacon DLL

Once the DLL is loaded, the attackers will be able to access your computer remotely, execute commands, and spread to other computers on your network.

As we expect to see more malware attempt to exploit this vulnerability, whether it be through malspam or other methods, it is important that you upgrade to the latest version of WinRAR.

If you are unable to upgrade for some reason, then you can use 0Patch's WinRAR micro patch to address this specific WinRAR bug. This micro patch will fix the vulnerability in all 32-bit and 64-bit versions of WinRAR versions using the UNACEV2.DLL since 2005.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page June 13, 2020, 10:06:07 PM