WinRAR Exploits Massively Used in Recent Attacks

Delaware, USA ā€“ March 18, 2019 ā€“ Less than a month ago, cyber security community became aware of a severe vulnerability in the archiver, which allows throwing a malicious file into Autorun folder, and to date, researchers have discovered over one hundred of WinRAR exploits used in real attacks. McAfee Labs reported their findings on a blog post, noting that most of the targets of such attacks are located in the United States and provided an example of a recent exploit. Attackers used a pirated copy of Ariana Grandeā€™s album to create a malformed ACE file that unpacks MP3 files into a user-designated folder, and also drops a trojan into the Startup folder.

Despite the fact that the CVE-2018-20250 vulnerability was ā€˜patchedā€™ in 5.70 Beta 1 release, most users still havenā€™t installed the update. WinRAR exploits have adopted not only by financially motivated cybercriminals, but also APT groups that conduct highly targeted attacks against South Korea and the Middle East countries.

Exploits began to appear in a few days after the vulnerability disclosure, and their number is continually growing. There is no automatic update feature in WinRAR, so the release of the patch does not solve the problems with this vulnerability. You can use the Sysmon Framework rule pack for ArcSight to detect suspicious events that need to be investigated: https://my.socprime.com/en/integrations/sysmon-framework-arcsight