WinRAR zero-day exploited in cyber espionage campaign

Israeli researcher Danor Cohen has discovered a security flaw in WinRAR, IntelCrawler confirmed was exploited in cyber espionage campaign.

WinRAR is a popular shareware file archiver and data compression utility, as usual these applications are targeted by hackers because their penetration level. Recently the Israeli researcher Danor Cohen has discovered that a security flaw in WinRAR is being exploited in a series of malware-based attacks that are targeting government entities and enterprises all around the world as revealed by cyber intelligence company IntelCrawler. The vulnerability, named WinRAR file extension spoofing, was analyzed by IntelCrawler experts which confirmed that it can be exploited on all versions of WinRAR.

Cohen analyzed a vulnerability in WinRAR that allows an attacker to create a ZIP file that provided fake information on its content, practically it when compressed it appears to contain something different from its real content. An attacker could compress a malicious code and masquerade it as an innocent ZIP file containing any harmless content.

At this point it is enough that victim click on the file, which is an executable, to be infected.

A similar exploit is excellent to conduct undercover cyber espionage campaigns, in fact IntelCrawler experts have observed that bad actors are exploiting the WinRAR file extension spoofing in a series of attacks against military subcontractors, embassies, aerospace corporations and companies from the Fortune Global 500 list. InterCrawler experts confirmed that the campaign began on March 24th, one of the archive used in the spam campaign and analyzed by IntelCrawler team was protected by a password reported in the content of the email that pretend to be sent from the European Council Legal Affairs.

Let’s give a look to the WinRAR vulnerability and how Cohen has exploited it.

The attacker exploits extra info in the file format descriptor, like the extra “file name” present into the compressed file.

The extra name is the “File Name” of the file that WINRAR provides when users uncompress the archive, the first name is the name displayed in the GUI.

In the two file names are different WinRAR will show the spoofed file name, while after decompression the user will get the real file name.

“This Behavior can easily turned into a very dangerous security hole. Think about a hacker that publish some informative “txt” file called “ReadMe.txt” or even PDF like “VirusTotal_ScanResults.pdf” or more tempting file like”My Girl Friend new bathing suit.jpg”. Think about an innocent user that will open that file and instead of getting readme file, PDF book or interesting image, he will get a nasty Trojan Horse…” said Cohen.

POC

Create a nasty file that will simply display a dialog box with “PWNED” message.
Compress it with WINRAR by choosing “WINZIP” method.
Open the ZIP file with an hex editor, change the second name only, this name will be used to deceive victims (MyPrivateImage.jpg) and save it as a ZIP file.

The WINRAR archive shows you an image file, double click it, the nasty binary file will execute:

Very interesting … what do you think about?

Pierluigi Paganini

(Security Affairs – WinRAR, cyber espionage)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.