Security experts found a malspam campaign that spreads malicious RAR archive which could exploit the WinRAR flaw to spread malware on a computer.
Last week, a critical 19-year-old vulnerability in the WinRAR was disclosed by security experts at CheckPoint software. According to experts, this flaw can be used by cyber criminals to execute malicious code and gain full control over a compromised computer. It is an “Absolute Path Traversal.” Attacks can exploit UNACEV2.DLL can use a specially-crafted file archive to execute arbitrary code.
WinRAR is a useful file-archiving tool for Windows users. It is able to create and support viewing of archives in Roshal Archive Compressed or ZIP file formats. It has been used to pack and unpack numerous archive file in a convenient way. As it is a popular utility, it has been used by attacker to spread malware. According to reports, over 500 million worldwide users use WinRAR. They potentially are affected by this flaw if they used any version of WinRAR released in the last 19 years.
The hackers distribute malspam with malicious archive that contains malicious .exe file called CMSTray.exe. When a victim use WinRAR data file compression tool to open the malicious archive, the malware can drop CMSTray.exe in Startup folder. It will run automatically every time victim power on the computer. The bad thing is WinRAR development team had lost the source code of the UNACEV2.dll library in 2005. Therefore, the team stopped using the UNACEV2.dll and released WINRar version 5.70 beta 1. The new version fixes the vulnerability while it does not support ACE format.
360 Threat Intelligence Center said on a Tweet, “Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.”
Bleeping Computer reported, “Now that CMSTray.exe is extracted to the user’s Startup folder, on the next login the executable will be launched. Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.”
We suggest you update the service if you use WinRAR to fix the vulnerability. Malware can be everywhere. It will be better if you install reliable and powerful security program like Kaspersky Lab and McAfee.
Published by Emerson L. Sullivan & last updated on February 27, 2019 7:39 am