Severity
High
Analysis Summary
The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.
The attacker lures victims to decompress the archive through embedding a corrupt and incomplete female picture. It renames files with .Jnec extension.
The ransomware encrypts data on the victim’s machine and appends the .Jnec extension to the encrypted data asking a ransom 0.05 bitcoins (about $200).
Once the ransomware has encrypted the files on the victim’s computer, it will generate a Gmail address that victims need to create in order to receive the file decryption key once they will pay the ransom.
Impact
Execution of arbitrary code.
Indicators of Compromise
| Filename | vk_4221345.rar GoogleUpdate.exe |
| Malware Hash (MD5/SHA1/SH256) | 9ebe2ee958ddd61c93400293d6903ab0 bf9ec6fe2352faddb147ebe8369ccaa76f8c60e7 |
Remediation
- Users are advised to update the current patched version WinRAR 5.70.
- Avoid opening unknown files that are being sent from unknown senders.