Patched WinRAR vulnerability is still being exploited by hackers

Malicious hackers are still exploiting a recently patched critical code execution vulnerability in WinRAR, a windows file compression application that has over 500m users worldwide.

The reason why hackers are able to actively exploit the vulnerability in the WinRAR software is because it doesn’t have an auto-update feature, leaving millions of its users vulnerable to cyber attacks.

WinRAR vulnerability

The 19-year-old security flaw, that was disclosed late last month by Check Point Research, allowed attackers to secretly install persistent malicious applications when a target opened a compressed archive file using any WinRAR version.

The “absolute path traversal” bug that exists in the old third-party library UNACEV2.DLL of WinRAR allowed threat actors to extract a compressed executable file from the ACE archive to one of the Windows Startup folders, where the malicious payload would automatically run after each system reboot.

To successfully exploit this vulnerability and take control of a target’s computer, all hackers had to do was to persuade them to open the file, Check Point researchers said.

Malicious hackers began exploiting the vulnerability in ‘malspam’ email campaigns to install malware on users’ computers that were already running the vulnerable version of the software.

“100 unique exploits”

On Thursday (March.14th), a researcher at McAfee said in a blog post that the security firm identified “100 unique exploits and counting” in the first week since the vulnerability was publicly revealed, with most of the initial targets located in the US.

One recent example piggybacks on a bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “Ariana_Grande-thank_u,_next(2019)_[320].rar,” McAfee Research Architect Craig Schmugar wrote in the post.

“When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware is run.”

WinRar developers released WinRAR 5.70 Beta 1 last month to address and fix the vulnerability.

McAfee advised users to install the latest version of the WinRAR software and avoid opening any unknown files that could potentially contain the malware.

Related Posts