Rewterz Threat Alert – WinRAR ACE Vulnerability Exploited Through Malspam to Install Backdoor

Severity

High

Analysis Summary

If UAC is running, when you attempt to extract the archive it will fail to place the malware in the C:\ProgramData folder due to lack of permissions. This will cause WinRAR to display an error stating “Access is denied” and “operation failed” as shown below.

On the other hand, if UAC is disable or WinRAR is run with administrator privileges it will install the malware to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CMSTray.exe.

Now that CMSTray.exe is extracted to the user’s Startup folder, on the next login the executable will be launched.

Once launched, it will copy the CMSTray.exe to %Temp%\wbssrv.exe and execute the wbssrv.exe file.

Launching %Temp%\wbssrv.exe

Once launched, the malware will connect to http://138.204.171.108/ and download various files, including a Cobalt Strike Beacon DLL. Cobalt Strike Beacon is a penetration testing tool that is also used by criminals to gain remote access to a victim’s computer.

Downloading Cobalt Strike Beacon DLL

Once the DLL is loaded, the attackers will be able to access your computer remotely, execute commands, and spread to other computers on your network.

Impact

Command execution

System access.

Indicators of Compromise

IP(s) / Hostname(s)

138.204.171.108

URLs

http://138.204.171.108/BxjL5iKld8.zip

Malware Hash (MD5/SHA1/SH256)

2a09056cb4615a53b27aed19793f2d91f5fb497fdf4f6be6cce6c6abac48f707

Remediation

• Update to the latest version of WinRAR 5.70 beta 32/64bit.
• If you are unable to upgrade for some reason, then you can use 0Patch’s WinRAR micropatch to address this specific WinRAR bug. This micropatch will fix the vulnerability in all 32-bit and 64-bit versions of WinRAR versions using the UNACEV2.DLL since 2005.