Office

Exploit detected that uses a winrar failure to install backdoor

Table of contents:

Anonim

Investigators from Check Pont have been in charge of discovering a bug in WinRAR. A ruling that has been present for almost two decades. It originates from an old DLL from 2006, which did not have the necessary protection mechanisms. Due to this failure, there could be some 500 million users at risk. This week the first exploit was detected, which was sent through an email that included an RAR file as an attachment.

Exploit detected that exploits WinRAR failure to install a backdoor

The specific failure lies in a third-party library called UNACEV2.DLL. As a measure, a beta has been launched in which it is removed. Failing to support ACE files in this way.

Possibly the first malware delivered through mail to exploit WinRAR vulnerability. The backdoor is generated by MSF and written to the global startup folder by WinRAR if UAC is turned off.https: //t.co/bK0ngP2nIy

IOC:

hxxp: //138.204.171.108/BxjL5iKld8.zip

138.204.171.108:443 pic.twitter.com/WpJVDaGq3D

- RedDrip Team (@ RedDrip7) February 25, 2019

WinRAR crash

Yesterday the first exploit that tries to implant a backdoor in an infected computer was detected. So it seems to be the first who wants to take advantage of this bug in WinRAR. Although this does not mean that there are no others, that have not yet been discovered. When they have examined the aforementioned attached RAR file, which we have talked about before, it has been seen that an attempt was made to extract a file in the C: \ ProgramData \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ folder.

When this happens, the file is copied to% Temp% \ and then the wbssrv.exe file is run, as the researchers have said. Once the malicious code is run, the Cobalt Strike Beacon DLL, which is used by cybercriminals to remotely access computers, is downloaded.

Users are recommended to update to the latest version of WinRAR, which the company has already made available on the web. To download it you have to enter this link.

The Hacker News Font

Office

Editor's choice

Back to top button