WinRAR Zero-day Abused in Multiple Campaigns
Contents
WinRAR Zero-day Abused in Multiple Campaigns
WinRAR, an over 20-year-old file archival utility used by over 500 million users worldwide, recently acknowledged a long-standing vulnerability in its code-base. A recently published path traversal zero-day vulnerability, disclosed in CVE-2018-20250 by Check Point Research, enables attackers to specify arbitrary destinations during file extraction of ‘ACE’ formatted files, regardless of user input. Attackers can easily achieve persistence and code execution by creating malicious archives that extract files to sensitive locations, like the Windows “Startup” Start Menu folder. While this vulnerability has been fixed in the latest version of WinRAR (5.70), WinRAR itself does not contain auto-update features, increasing the likelihood that many existing users remain running out-of-date versions.
FireEye has observed multiple campaigns leveraging this vulnerability, in addition to those already discussed by 360 Threat Intelligence Center. Below we will look into some campaigns we came across that used customized and interesting decoy documents with …
WinRAR, an over 20-year-old file archival utility used by over 500 million users worldwide, recently acknowledged a long-standing vulnerability in its code-base. A recently published path traversal zero-day vulnerability, disclosed in CVE-2018-20250 by Check Point Research, enables attackers to specify arbitrary destinations during file extraction of ‘ACE’ formatted files, regardless of user input. Attackers can easily achieve persistence and code execution by creating malicious archives that extract files to sensitive locations, like the Windows “Startup” Start Menu folder. While this vulnerability has been fixed in the latest version of WinRAR (5.70), WinRAR itself does not contain auto-update features, increasing the likelihood that many existing users remain running out-of-date versions.
FireEye has observed multiple campaigns leveraging this vulnerability, in addition to those already discussed by 360 Threat Intelligence Center. Below we will look into some campaigns we came across that used customized and interesting decoy documents with …
IoC
062801f6fdbda4dd67b77834c62e82a4
0f56b04a4e9a0df94c7f89c1bccf830c
103.225.168.159
119A0FD733BC1A013B0D4399112B8626
12def981952667740eb06ee91168e643
185.162.131.92
185.49.71.101
1BA398B0A14328B9604EEB5EBF139B40
1f5fa51ac9517d70f136e187d45f69de
2961C52F04B7FDF7CCF6C01AC259D767
31.148.220.53
31718d7b9b3261688688bdc4e026db99
3aabc9767d02c75ef44df6305bc6a41f
47.91.56.21
49419d84076b13e96540fdd911f1c2f0
79B53B4555C1FB39BA3C7B8CE9A4287E
7dae2d144dae4447a152bef586520ef8
89.34.111.113
8c93e024fc194f520e4e72e761c0942d
8e067e4cda99299b0bf2481cc1fd8e12
914ac7ecf2557d5836f26a151c1b9b62
96986B18A8470F4020EA78DF0B3DB7D4
97D74671D0489071BAA21F38F456EB74
9b19753369b6ed1187159b95fc8a81cd
9b81b3174c9b699f594d725cf89ffaa4
AAC00312A961E81C4AF4664C49B4A2B2
BCC49643833A4D8545ED4145FB6FDFD2
[email protected]
dc63d5affde0db95128dac52f9d19578
e9815dfb90776ab449539a2be7c16de5
eca09fe8dcbc9d1c097277f2b3ef1081
f36404fb24a640b40e2d43c72c18e66b
http://103.225.168.159/admin/verify.php
http://185.162.131.92
http://185.49.71.101/i/pwi_crs.exe
http://31.148.220.53
http://47.91.56.21/verify.php
http://89.34.111.113
http://tiny-share.com/direct/7dae2d144dae4447a152bef586520ef8
http://www.alahbabgroup.com/bakala/verify.php
http://www.khuyay.org/odin_backup/public/loggoff.php
0f56b04a4e9a0df94c7f89c1bccf830c
103.225.168.159
119A0FD733BC1A013B0D4399112B8626
12def981952667740eb06ee91168e643
185.162.131.92
185.49.71.101
1BA398B0A14328B9604EEB5EBF139B40
1f5fa51ac9517d70f136e187d45f69de
2961C52F04B7FDF7CCF6C01AC259D767
31.148.220.53
31718d7b9b3261688688bdc4e026db99
3aabc9767d02c75ef44df6305bc6a41f
47.91.56.21
49419d84076b13e96540fdd911f1c2f0
79B53B4555C1FB39BA3C7B8CE9A4287E
7dae2d144dae4447a152bef586520ef8
89.34.111.113
8c93e024fc194f520e4e72e761c0942d
8e067e4cda99299b0bf2481cc1fd8e12
914ac7ecf2557d5836f26a151c1b9b62
96986B18A8470F4020EA78DF0B3DB7D4
97D74671D0489071BAA21F38F456EB74
9b19753369b6ed1187159b95fc8a81cd
9b81b3174c9b699f594d725cf89ffaa4
AAC00312A961E81C4AF4664C49B4A2B2
BCC49643833A4D8545ED4145FB6FDFD2
[email protected]
dc63d5affde0db95128dac52f9d19578
e9815dfb90776ab449539a2be7c16de5
eca09fe8dcbc9d1c097277f2b3ef1081
f36404fb24a640b40e2d43c72c18e66b
http://103.225.168.159/admin/verify.php
http://185.162.131.92
http://185.49.71.101/i/pwi_crs.exe
http://31.148.220.53
http://47.91.56.21/verify.php
http://89.34.111.113
http://tiny-share.com/direct/7dae2d144dae4447a152bef586520ef8
http://www.alahbabgroup.com/bakala/verify.php
http://www.khuyay.org/odin_backup/public/loggoff.php