• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions

 | 

Malicious AI-generated npm package hits Solana users

 | 

Meta Offers $1M bounty at Pwn2Own Ireland 2025 for WhatsApp exploits

 | 

ToolShell under siege: Check Point analyzes Chinese APT Storm-2603

 | 

CISA released Thorium platform to support malware and forensic analysis

 | 

Russia-linked APT Secret Blizzard targets foreign embassies in Moscow with ApolloShadow malware

 | 

Dahua Camera flaws allow remote hacking. Update firmware now

 | 

Researchers released a decryptor for the FunkSec ransomware

 | 

Apple fixed a zero-day exploited in attacks against Google Chrome users

 | 

PyPI maintainers alert users to email verification phishing attack

 | 

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

 | 

Critical SAP flaw exploited to launch Auto-Color Malware attack on U.S. company

 | 

Orange reports major cyberattack, warns of service disruptions

 | 

Hackers leak images and comments from women dating safety app Tea

 | 

Pro-Ukraine hacktivists claim cyberattack on Russian Airline Aeroflot that caused the cancellation of +100 flights

 | 

Seychelles Commercial Bank Reported Cybersecurity Incident

 | 

Microsoft uncovers macOS flaw allowing bypass TCC protections and exposing sensitive data

 | 

U.S. CISA adds Cisco ISE and PaperCut NG/MF flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical WordPress Post SMTP plugin flaw exposes 200K+ sites to full takeover

 | 

Scattered Spider targets VMware ESXi in using social engineering

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Hacking
  • Recently fixed WinRAR bug actively exploited in the wild

Recently fixed WinRAR bug actively exploited in the wild

Pierluigi Paganini March 15, 2019

Several threat actors are still exploiting a recently patched critical vulnerability in the popular compression software WinRAR.

Several threat actors are actively exploiting a critical remote code execution vulnerability recently addressed in WinRAR.

The exploitation of the flaw in the wild is worrisome because the WinRAR software doesn’t have an auto-update feature, leaving millions of users potentially exposed to cyber attacks.

The vulnerability, tracked as CVE-2018-20250, was discovered by experts at Check Point in February, it could allow an attacker to gain the control of the target system.

Over 500 million users worldwide use the popular software and are potentially impacted by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.

winrar

The issue affects a third-party library, called UNACEV2.DLL that is used by WINRAR, it resides in the way an old third-party library, called UNACEV2.DLL, handles the extraction of files compressed in ACE data format. The experts pointed out that WinRAR determines the file format by analyzing its content and not the extension, this means that an attacker can change the .ace extension to .rar extension to trick the victims.

The researchers discovered that an attacker leveraging the path traversal vulnerability could extract compressed files to a folder of their choice rather than the folder chosen by the user. Dropping a malicious code into Windows Startup folder it would automatically run on the next reboot.

The WinRAR development team addressed the issue with the release of WinRAR version 5.70 beta 1.

The following video PoC shows how to gain full control over a targeted system by tricking the victims into opening maliciously crafted compressed archive file using WinRAR.

WA few days after the disclosure of the flaw, researchers at the 360 Threat Intelligence Center discovered a malspam campaign that was distributing a malicious RAR archive that could exploit the flaw to install deliver malware on a computer.

Now, security experts from McAfee reported that attackers are continuing in exploiting the WinRAR flaw, they identified more than “100 unique exploits and counting” in the first week since the vulnerability was publicly disclosed.

“In the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting, with most of the initial targets residing in the United States at the time of writing.” reads the advisory published by McAfee.

According to the experts, most of the initial targets are located in the United States, in one case attackers attempted to spread the malware through a bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “Ariana_Grande-thank_u,_next(2019)_[320].rar”

The file associated with the fake Ariana Grande’s hit album is currently detected by a limited number of antivirus solutions.

The malicious RAR file (Ariana_Grande-thank_u,_next(2019)_[320].rar) extracts a list of harmless MP3 files to the victim’s download folder along with a malicious executable file to the startup folder that allows infecting the targeted system.

“When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Access Control (UAC) is bypassed, so no alert is displayed to the user. The next time the system restarts, the malware is run.” continues the analysis.

Experts recommend users to keep their system up to date, install the latest version of WinRAR and avoid opening files from untrusted sources.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WinRAR, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

malspam malware Pierluigi Paganini Security Affairs WinRAR

you might also like

Pierluigi Paganini August 02, 2025
China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions
Read more
Pierluigi Paganini August 01, 2025
Malicious AI-generated npm package hits Solana users
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    China Presses Nvidia Over Alleged Backdoors in H20 Chips Amid Tech Tensions

    Intelligence / August 02, 2025

    Malicious AI-generated npm package hits Solana users

    Malware / August 01, 2025

    Meta Offers $1M bounty at Pwn2Own Ireland 2025 for WhatsApp exploits

    Hacking / August 01, 2025

    ToolShell under siege: Check Point analyzes Chinese APT Storm-2603

    APT / August 01, 2025

    CISA released Thorium platform to support malware and forensic analysis

    Cyber Crime / August 01, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT