Pierluigi Paganini April 01, 2014

Israeli researcher Danor Cohen has discovered a security flaw in WinRAR, IntelCrawler confirmed was exploited in cyber espionage campaign.

WinRAR is a popular shareware file archiver and data compression utility, as usual these applications are targeted by hackers because their penetration level. Recently the Israeli researcher Danor Cohen has discovered that a security flaw in WinRAR is being exploited in a series of malware-based attacks that are targeting government entities and enterprises all around the world as revealed by cyber intelligence company IntelCrawler.  The vulnerability, named WinRAR file extension spoofing, was analyzed by IntelCrawler experts which confirmed that it can be exploited on all versions of WinRAR.

Cohen analyzed a vulnerability in WinRAR that allows an attacker to create a ZIP file that provided fake information on its content, practically it when compressed it appears to contain something different from its real content. An attacker could compress a malicious code and masquerade it as an innocent ZIP file containing any harmless content.

At this point it is enough that victim click on the file, which is an executable, to be infected.

A similar exploit is excellent to conduct undercover cyber espionage campaigns, in fact IntelCrawler experts have observed that bad actors are exploiting the WinRAR file extension spoofing  in a series of attacks against military subcontractors, embassies, aerospace corporations and companies from the Fortune Global 500 list. InterCrawler experts confirmed that the campaign began on March 24th, one of the archive used in the spam campaign and analyzed by IntelCrawler team was protected by a password reported in the content of the email that pretend to be sent from the European Council Legal Affairs.

Let’s give a look to the WinRAR vulnerability and how Cohen has exploited it.

The attacker exploits extra info in the file format descriptor, like the extra “file name” present into the compressed file.

“This Behavior can easily turned into a very dangerous security hole. Think about a hacker that publish some informative “txt” file called “ReadMe.txt” or even PDF like “VirusTotal_ScanResults.pdf” or more tempting file like”My Girl Friend new bathing suit.jpg”. Think about an innocent user that will open that file and instead of getting readme file, PDF book or interesting image, he will get a nasty Trojan Horse…” said Cohen.

POC