Threat Intelligence Report: WinRAR Zero Day Threat

Date: 29 March 2019


A Zero-Day Vulnerability has recently been discovered in WinRAR. The vulnerability, which was assigned as CVE-2018-20250, allows attackers to set arbitrary destinations during file extraction of the compressed files, without permission or user interaction. This means that attackers can create RAR archives which extract then execute code. It is possible to extract executables to the Windows “Startup” folder for instance.

While this vulnerability has been fixed in the latest version of WinRAR (version 5.70), WinRAR itself does not facilitate auto-updates, increasing the likelihood that many existing users remain running outdated versions making them susceptible to attacks and, more importantly, being an open gate to compromise internal infrastructure.

WinRAR is very popular and used by more than 500 million users around the world.


Whilst the vulnerability has existed for many years, it was only discovered a few days ago. There are already attacks using this mechanism being observed in the wild.

Several Threat Actors have been observed using different propagation techniques such as email and URL redirections, the most common vector is through Phishing emails. Since the attackers are using different methods and composing different malwares, the IOCs listed below will change over the coming weeks.

Owing to the fact that WinRAR is a free software and very popular but without any auto-update capability, this poses a credible threat to many businesses.

Tactics, Techniques and Procedures:

Attacks observed thus far in the wild consist of a malicious RAR archive being emailed to employees. Once decompressed, malware is extracted into a system folder and is often disguised with a common name such as calc.exe.

The attacks have also been observed to create a backdoor, allowing further command and control (C2) communications. In these cases, the malware communicates to C2 server 185[.]162[.]131[.]92 via HTTP request. The C2 server responds downloading a payload from http://185[.]49[.]71[.]101/i/pwi_crs[.]exe, which is a Netwire RAT (Remote Access Trojan).

If successfully exploited on an unpatched computer, the vulnerability will permit an attacker to install any file on the computer, to that end it is anticipated that additional TTPs will be used in the future.

Indicators of Compromise:

Type File Name / Detail Hash/IP Address
FileLetter of Approval.pdf dc63d5affde0db95128dac52f9d19578
URLURLwww[.]khuyay[.]org/odin_backup/public/loggoff. php
IPC2 Server185[.]162[.]131[.]92
IPC2 Server89[.]34[.]111[.]113

The relation between IOCs is interpreted in the following figure:


This vulnerability is one of several currently affecting WinRAR. The software also does not self-update.

It is strongly recommended that Customers consider removing WinRAR, in favour for native operating system utilities (found in Windows 10, MacOS, and Linux) which are automatically patched as part of normal system updates, or for a less vulnerable alternative utility and regularly patching these through patching utilities such as SCCM.


TTPs: tactics, techniques and procedures
IOCs: indicators of compromise (includes IP addresses, URLs, hashes, registry keys, filenames)

Leave a Reply