A new malspam campaign distributes a malicious RAR archive exploiting the WinRAR ACE vulnerability

• Researchers observed a new malspam email distributing a malicious RAR archive to infect victim’s computer with a backdoor.
• This is the first malspam exploiting the WinRAR ACE vulnerability to distribute malware onto victims’ systems.

Researchers observed a new malspam campaign distributing a malicious RAR archive. Researchers noted that this is the first malspam exploiting the WinRAR ACE vulnerability to distribute malware onto victims’ systems.

Why it matters - The 19-year-old WinRAR ACE vulnerability allows a specially crafted ACE archive to extract a file to the Window Startup folder. This allows the executable to gain persistence and launch automatically when the user next logs in to Windows.

The developers of WinRAR removed the DLL and ACE support from the latest version of WinRAR 5.70 beta 1 in order to fix the vulnerability. Unfortunately, this did not resolve the issue.

What's the issue - On February 25, 2019, 360 Threat Intelligence Center tweeted that they have detected a malspam email distributing a RAR archive to infect the victim’s computer with a backdoor.

“Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off,” the tweet read.

What are the findings - Researchers from BleepingComputer downloaded and analyzed the RAR archive sample.

Researchers noted that if users attempt to extract the archive when UAC is running, it will fail to drop the malware in the C:\ProgramData folder due to lack of permissions. This will cause WinRAR to display an error stating ‘Access is denied’ and ‘operation failed’.

On the other hand, when users attempt to extract the archive when UAC is disabled or WinRAR is run with administrator privileges, then it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.

• Since CMSTray.exe is extracted to the user's Startup folder, the executable will be launched on the next login.
• Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and will execute the executable file.
• Once executed, the malware will connect to http[;]//138.204.171.108 and will download various files, including a Cobalt Strike Beacon DLL.
• Once the DLL is downloaded, the attackers will now be able to remotely access the victim’s computer, execute commands, and propagate to other computers connected to the network.

What's the conclusion - Researchers expect more malware attempts to exploit this WinRAR ACE vulnerability, therefore, it is best to upgrade to the latest version of WinRAR. Additionally, this vulnerability can be fixed with 0Patch's WinRAR micropatch.