lolloj - Fotolia
Although it took 19 years to discover a critical WinRAR bug affecting hundreds of millions, threat actors needed decidedly less time to begin exploiting the flaw in the wild.
In late February, the WinRAR bug (CVE-2018-20250) was disclosed and patched by removing the functionality for the decompression software to handle ACE archive files. According to security researchers, the WinRAR bug has been exploited in targeted attacks in the United States and Middle East. Craig Schmugar, principal engineer at McAfee, said that in just the first week after the flaw was disclosed, McAfee "identified over 100 unique exploits and counting."
"One recent example piggybacks on a bootlegged copy of Ariana Grande's hit album 'Thank U, Next' with a file name of 'Ariana_Grande-thank_u,_next(2019)_.rar'", Schmugar wrote in a blog post. "When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run."
Schmugar noted that the majority of attacks McAfee discovered targeted users in the United States, but researchers at McAfee's 360 Threat Intelligence Center also noted targeted attacks in the Middle East.
The 360 Threat Intelligence Center saw attacks being carried out where targets were prompted to extract files from a malicious archive, which would place a remote access Trojan disguised as a Telegram Desktop executable. After the victim restarted the device, the attacker would be able "to control the compromised device."
The researchers also noted on Twitter there was evidence the WinRAR bug was being exploited to deliver ransomware to targets, but did not offer much information on those attacks.
The WinRAR bug affects all versions of the software before version 5.70 beta 1. That beta update removed support for handling the ACE compression format; however, WinRAR doesn't have an automatic update feature so all of the more than 500 million users of the program would need to manually update.
A spokesperson for Win.RAR GmbH said the company is in the process of contacting all existing customers to upgrade to the latest version via multiple avenues, including email and pop-up notifications. The spokesperson said Win.RAR GmbH is also collaborating with Avast because "there is a quite big intersection of Avast users and WinRAR users."
"Since WinRAR has no auto-update feature, we use all possible touchpoints to get the user to upgrade the software. We have released a press release where we inform about the patch of the security flaw and also give instructions how to remove the UNACEV2.DLL file in previous versions for users who are not interested in an upgrade," the spokesperson said. "We think with these measures we are doing our best to inform the user base and since a lot of articles are also in the news, users see the info there as well and we are also active on Facebook and Twitter to inform the user base. Also, users should always -- not just in such a case -- be careful with opening archives from unknown origin. There is always a security risk that malware can be included."