Attackers Exploit WinRAR Vulnerability to Drop Cobalt Strike Beacon

Delaware, USA – February 26, 2019 – Cybercriminals weaponized vulnerability in WinRAR in less than a week after its disclosure. Vulnerability CVE-2018-20250 affects all versions of the archiver up to 5.70 Beta 1, in which developers simply deleted the vulnerable library. With its help, adversaries can specify a folder for unpacking files, ignoring the folder selected by the user. Researchers at Quihoo 360 discovered the first malware distribution campaign that exploits this vulnerability in WinRAR. Malicious archives are delivered via spam emails, and when a targeted user tries to unpack it under an account with administrator privileges, or when User Account Control on an attacked system is disabled, the malware is unpacked to the Startup folder. At the next system startup, it copies itself to Temp folder as wbssrv.exe and runs its copy, which downloads additional payloads from the command and control server, including the infamous penetration testing tool Cobalt Strike Beacon. This tool is actively used by adversaries to execute PowerShell scripts and drop other payloads.

Almost half a billion systems in the world use WinRAR, and not all of them use updated software. There is a high probability that other threat actors will also adopt this exploit shortly to deliver malware. If you are not sure that you have an updated archiver installed on all systems, you can leverage SIEM rules to detect the usage of this exploit: https://tdm.socprime.com/tdm/info/1474/
You can also use rules available at Threat Detection Marketplace to spot Cobalt Strike tools:
https://tdm.socprime.com/tdm/info/1141/
https://tdm.socprime.com/tdm/info/1230/
https://tdm.socprime.com/tdm/info/1006/