By using the bug, hackers are desperately dropping persistent malware through generic trojan on systems using the old version of WinRar.
McAfee security firm’s researcher Craig Schmugar has identified that the world famous and commonly used compression software WinRar is plagued with code execution vulnerability for the past nineteen years. Resultantly, over 100 exploits have surfaced that can target vulnerability. A majority of the targets are found to be located in the USA.
The flaw in the software that’s used by 500 million users around the globe was identified only recently by Check Point Research and it immediately made headlines because of the sheer amount of time it has plagued the software. It is observed that attackers can infect devices with such persistent malware and malicious applications that most of the antivirus products cannot detect.
The infection gets activated as soon as the user opens a compressed ZIP file on the PC. It is worth noting that the infection gets activated with all versions of WinRar released in the past nineteen years. The archive files get extracted to any folder that the creator selects such as the Windows startup folder through the absolute path traversal method and a warning notification isn’t generated.
That’s where the malicious malware come into action and run the next time the victim reboots the device. After the computer is rebooted a random, generic Trojan is installed that can only be identified by 9 antivirus products, as per VirusTotal.
Schmugar explained the working of the exploit in a blog post along with screenshots of how the attack takes place:
“One recent example piggybacks on a bootlegged copy of Ariana Grande’s hit album Thank U, Next with a file name of ‘Ariana_Grande-thank_u,_next(2019)_.rar,’. When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware is run.”
Schmugar also revealed that all the 100 exploits didn’t install the same malware.
The Ariana Grande RAR file is circulating on numerous BitTorrent services and Twitter with the exact same title as Schmugar identified. If you happen to see such a file offered to be downloaded do ignore it and make sure to use WinRar version 5.70 only because that’s the only version not vulnerable to the attacks. Alternately, you can start using 7zip.
“While a patched version, 5.70, was released on 26 February, attackers are releasing exploits in an effort to reach vulnerable systems before they can be patched,” Schmugar explained.