Critical Vulnerability in WinRAR Exploited by Cybercriminals
Recent reports have highlighted that cybercriminal groups and independent hackers are actively taking advantage of a critical code execution vulnerability in WinRAR, a widely-used file compression tool with a user base of over 500 million. The vulnerability, designated CVE-2018-20250, was patched in the beta version 5.70 released last month, but previous versions, which have been in circulation for nearly two decades, remain susceptible to attack.
One of the key concerns is that WinRAR lacks an auto-update feature, leaving a significant portion of its users exposed to potential cyber threats. The vulnerability arises from an “Absolute Path Traversal” bug embedded in the outdated third-party library UNACEV2.DLL. This flaw permits adversaries to extract a malicious executable from an ACE archive into one of the Windows Startup folders, ensuring that the malware runs automatically upon system reboot.
To exploit this vulnerability, attackers need only persuade users to open a specially-crafted compressed file using WinRAR. Following the public disclosure of this vulnerability, attackers swiftly initiated campaigns employing malspam emails to deliver malware to systems running the outdated software. Security researchers from McAfee reported identifying over 100 unique exploits within the first week of the vulnerability’s announcement, with early targets largely based in the United States.
Among the recent campaigns identified, one took advantage of a counterfeit copy of a popular Ariana Grande album, demonstrating a concerning trend where attackers disguise malicious software within seemingly innocuous content. Despite being flagged by only 11 security products, 53 antivirus solutions failed to detect the threat at the time of reporting. The malicious RAR file appears harmless, extracting benign MP3 files but also covertly dropping an executable designed to compromise the victim’s machine.
When a vulnerable version of WinRAR is used to extract this archive, researchers explain that a malicious payload is installed in the Startup folder without alerting the user, effectively bypassing User Access Control (UAC) protocols. On the next restart, the malware is executed, posing a significant risk to affected systems.
Given that such attack campaigns are ongoing, it is imperative for users to update their WinRAR software to the latest version immediately and exercise caution when handling files from untrusted sources. The current scenarios reflect the necessity of applying robust cybersecurity measures and remaining vigilant against emerging threats.
Based on the MITRE ATT&CK framework, tactics such as initial access and persistence are central to understanding the techniques employed in this incident. Attackers leverage initial access by exploiting user interactions with compromised files. Subsequently, persistence is achieved through the executed malware, allowing continued access without further user engagement.
As cyber threats continue to evolve, maintaining awareness and implementing proactive security measures will be critical in safeguarding user systems against vulnerabilities like those found in WinRAR.