Threat Intelligence Report: WinRAR Zero Day Threat

Date: 29 March 2019

Summary:

A Zero-Day Vulnerability has recently been discovered in WinRAR. The vulnerability, which was assigned as CVE-2018-20250, allows attackers to set arbitrary destinations during file extraction of the compressed files, without permission or user interaction. This means that attackers can create RAR archives which extract then execute code. It is possible to extract executables to the Windows “Startup” folder for instance.

While this vulnerability has been fixed in the latest version of WinRAR (version 5.70), WinRAR itself does not facilitate auto-updates, increasing the likelihood that many existing users remain running outdated versions making them susceptible to attacks and, more importantly, being an open gate to compromise internal infrastructure.

WinRAR is very popular and used by more than 500 million users around the world.

Conclusions:

Whilst the vulnerability has existed for many years, it was only discovered a few days ago. There are already attacks using this mechanism being observed in the wild.

Several Threat Actors have been observed using different propagation techniques such as email and URL redirections, the most common vector is through Phishing emails. Since the attackers are using different methods and composing different malwares, the IOCs listed below will change over the coming weeks.

Owing to the fact that WinRAR is a free software and very popular but without any auto-update capability, this poses a credible threat to many businesses.

Tactics, Techniques and Procedures:

Attacks observed thus far in the wild consist of a malicious RAR archive being emailed to employees. Once decompressed, malware is extracted into a system folder and is often disguised with a common name such as calc.exe.

The attacks have also been observed to create a backdoor, allowing further command and control (C2) communications. In these cases, the malware communicates to C2 server 185[.]162[.]131[.]92 via HTTP request. The C2 server responds downloading a payload from http://185[.]49[.]71[.]101/i/pwi_crs[.]exe, which is a Netwire RAT (Remote Access Trojan).

If successfully exploited on an unpatched computer, the vulnerability will permit an attacker to install any file on the computer, to that end it is anticipated that additional TTPs will be used in the future.

Indicators of Compromise:

Type File Name / Detail Hash/IP Address
FileScan_Letter_of_Approval.rar8e067e4cda99299b0bf2481cc1fd8e12
FilewinSrvHost.vbs3aabc9767d02c75ef44df6305bc6a41f
FileLetter of Approval.pdf dc63d5affde0db95128dac52f9d19578
FileCmpsitinOkay.exe12def981952667740eb06ee91168e643
FileSysAid-Documentation.rar062801f6fdbda4dd67b77834c62e82a4
FileSysAid-Documentation.rar49419d84076b13e96540fdd911f1c2f0
Fileekrnview.exe96986B18A8470F4020EA78DF0B3DB7D4
FileThumbs.db.lnk31718d7b9b3261688688bdc4e026db99
URLURLwww[.]alahbabgroup[.]com/bakala/verify.php
URLURL103[.]225[.]168[.]159/admin/verify.php
URLURLwww[.]khuyay[.]org/odin_backup/public/loggoff. php
URLURL47[.]91[.]56[.]21/verify.php
IPC2 Server185[.]162[.]131[.]92
IPC2 Server89[.]34[.]111[.]113

The relation between IOCs is interpreted in the following figure:

Advice:

This vulnerability is one of several currently affecting WinRAR. The software also does not self-update.

It is strongly recommended that Customers consider removing WinRAR, in favour for native operating system utilities (found in Windows 10, MacOS, and Linux) which are automatically patched as part of normal system updates, or for a less vulnerable alternative utility and regularly patching these through patching utilities such as SCCM.

Glossary:

TTPs: tactics, techniques and procedures
IOCs: indicators of compromise (includes IP addresses, URLs, hashes, registry keys, filenames)


Leave a Reply