Malicious hackers have wasted time exploiting a nasty code execution vulnerability recently released in WinRAR, a Windows file compression program that has 500 million users worldwide. in-the-wild attacks install malware that is not detected in the majority of antivirus products at the time this post was published.
The flaw, which Check Point Research published last month, is that when opening a zipped file using the released version of WinRAR for the past 19 years, an attacker could stealthily install malicious applications, prompting immediate attention I raised it. Absolute path discovery allows archived files to be extracted to the Windows startup folder (or other folder chosen by the archive creator) without generating an alert. There, the malicious payload is automatically launched the next time the computer is rebooted.
On Thursday, a McAfee researcher announced that the security company identified "100 unique exploits and counting" in the first week after the vulnerability was released. Most of the initial goals so far have been in the United States.
"A recent example is piggybacked on a ghost replica of Ariana Grande 's hit album. Thanks, next The file name is & # 39; Ariana_Grande-thank_u, _next (2019) _.rar, "McAfee Research Architect Craig Schmugar wrote in this article:" When you extract the contents of this archive using a vulnerable version of WinRAR, a malicious payload is created in the Startup folder in the background. Users are not warned because User Access Control (UAC) is ignored. The next time the system restarts, the malware will run. "
The screenshots included in this post show that a malicious file extracts malicious MP3 files into the destination's download folder. However, the RAR file also extracted a file called "hi.exe" in the startup folder. When the computer rebooted, we installed regular Trojans detected by nine well-known service providers based on our own VirusTotal service. Schmugar did not say whether all of the 100 abuses McAfee confirmed had installed the same malware.
This web search shows that the Ariana Grande RAR file with the same title we identified with McAfee is now distributed through the BitTorrent download service. They also Advertise on Twitter. People should be suspicious of files that can be downloaded online. WinRAR users should immediately use version 5.70. All other versions are vulnerable to such attacks. Another solution is to switch to 7zip.