Why it matters: If you have WinRAR installed, make sure you've updated to the most recent version that patches a critical security vulnerability. Vulnerable versions are subject to malicious archive files that are booby trapped and now opportunistic hackers are using this attack vector to hit unknowingly vulnerable users before they can patch.
Download shortcut: WinRAR 5.70
Back in February, cybersecurity firm Check Point disclosed a vulnerability that's existed in WinRAR for some 19 years. The potential attack vector was a result of WinRAR's support for the outdated ACE archive format, whereby those with malicious intent could give an ACE file a .rar extension, and then use it as a booby trap to execute malicious code from a machine's startup folder after a reboot.
Rarlab issued a patch and statement, but those who are not using the most recent version are still at risk.
Now, hackers are leveraging the exploit to reach vulnerable systems before users update. McAfee revealed they've identified "over 100 unique exploits and counting." One particular implementation targets Ariana Grande fans looking to bootleg the artist's popular album "Thank U, Next" by using a file named "Ariana_Grande-thank_u,_next(2019)_[320].rar" that is booby trapped with malicious code.
Other campaigns have been used to spread malware through the WinRAR exploit as well, as 360 Threat Intelligence Center has been documenting via Twitter.
Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https://t.co/bK0ngP2nIy
--- 360 Threat Intelligence Center (@360TIC) February 25, 2019
IOC:
hxxp://138.204.171.108/BxjL5iKld8.zip
138.204.171.108:443 pic.twitter.com/WpJVDaGq3D
Warning! Upgrades in the #WinRAR vulnerability (#CVE-2018-20250) exploit, use social engineering to lure victims with embedded image files and encrypt the malicious ACE archive before delivering.
--- 360 Threat Intelligence Center (@360TIC) February 27, 2019
Analysis report: https://t.co/LEcRPqP0cT
Chinese version: https://t.co/wbDCdZl1YV pic.twitter.com/8cjieD1xVJ
WinRAR exploit (#CVE-2018-20250) sample (united nations .rar) seems targeting the Middle East. Embedded with bait documents relating to the United Nations Human Rights and the #UN in Arabic, it finally downloads and executes #Revenge RAT.https://t.co/WJ4oJ1UxAz pic.twitter.com/fgHYSD4Mk5
--- 360 Threat Intelligence Center (@360TIC) March 12, 2019
WinRAR has an estimated 500 million users, most of which probably don't know about this vulnerability and that creates a desirable attack surface. This attack is bound to gain more traction in the future, so please share with your friends and family if you know they have WinRAR installed and grab the most recent version of the software.