Known Cybergang Exploits Old WinRAR Flaw to Attack Windows Enterprise Customers
Fourteen months ago, researchers at CheckPoint came across a vulnerable Dynamic Link Library (DLL) utilized by the popular WinRar compression tool. The dll let malicious files archived using the '.ace' compression format to enter the targeted machine upon WinRAR extraction. The flaw, which immediately exposed half a billion WinRAR users to potential attacks, was so serious that the program vendor released an updated version of the software which no longer supported '.ace' file extraction. However, they never released a patch for then then-current 5.61 version (and older), the implication being that a large number of WinRAR users remain at risk to this day.
Quick facts of the cybergang exploits:
- A cybercrime gang known as MuddyWater developed the exploit.
- The latest victims are Enterprise Microsoft customers providing satellite and communications services.
- The threat arrived as a collection of compromised '.ace' archive files capable of planting malware onto a PC following WinRar extraction.
Table of Contents
The Latest Victims to the WinRAR Flaw
Judging from the recent attack against enterprise Microsoft Windows customers providing satellite and communications services, the exploit is still very much active. In March 2019, Microsoft's Office 365 Advanced Threat Protection (ATP) division detected a collection of malicious .ace files on many Windows 10 Enterprise-based machines belonging to corporate clients. It turned out that the data in question exploited the CVE-2018-20250 vulnerability, i.e., the flaw associated with the compromised .dll file responsible for extracting .ace archives from all WinRAR versions bar 5.70 (the current one). Although WinRAR released v5.70 more than a year ago, a lot of users have yet to update to the new, .ace-free version.
The Prime Suspect – a Well-Known APT Group
According to Microsoft, it was MuddyWater, an Advanced Persistent Threat (APT) team, who initiated the March 2019 attack. MuddyWater's hackers are notorious for sending spear phishing emails to target public entities and business organizations in the United States, Europe, and the Middle East. So far, the MuddyWater gang has carried out attacks in Jordan, Turkey, Saudi Arabia, Azerbaijan, Irak, Pakistan, and Afghanistan to name but a few. Every intervention has featured macro malware embedded in a document attachment of a spam email. Opening the attached file resulted in a request to enable macros while the latter allowed for remote code execution.
This Time It’s a Bit Different, Though
It appears that the new campaign features a slightly modified approach. Instead of planting a malware-laden Word file, the crooks attach a macro-free document instead. The latter contains a OneDrive URL which, when opened, drops an ace archive containing another Word file. Unlike the original attachment, the new document is abundant with malicious macros. The infection is successful if the unsuspecting recipient:
- Enables macros when prompted to do so.
- Accepts to reboot the PC to fix a 'missing .dll file.'
Doing the former brings the malware payload – a file called dropbox.exe – to the Windows Startup folder. Doing the latter loads the malware during system startup, giving the attackers at the C&C server remote access to the corresponding computer.
The sheer number of WinRAR users worldwide poses challenges to a swift transition to the current version 5.70. Unfortunately, it is still the only WinRAR version in circulation immune to the CVE-2018-20250 vulnerability.