Late last month, security researchers revealed details of the critical error in that hard-line compression world, WinRAR. The beetle is for many years and although it refers to the rarely used ACE format and has been written since, it has been discovered that hackers are actively using it since they are published.
The 19-year-old bug in the UNACEV2.DLL file (CVE-2018-20250) allows the attacker to execute malicious files hidden in compressed archives. Over 100 exploits have been found by people who have yet to be updated to a secure software version … and that number is growing. McAfee reports the attackers using Ariana Grande's "Thank U, Next" album as a bait to encourage victims to extract dangerous archives, but other security researchers report the use of images.
In a blog post, Craig Shmugar of McAfee says that "in the first week after vulnerability was discovered, McAfee identified more than 100 unique feats and counting." Most of these cases are in the United States. He explains how the victims are deceived about installing malware on their systems:
A recent example concerns a lifted copy of Arianna Grande's hit album "Thank U, Next" with the file name "Ariana_Grande-thank_u, _next (2019) _.rar "
When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious burden is created in the startup folder behind the scenes. User account control (UAC) does not apply, so the user does not receive a notification. The next time the system reboot, malware is running.
The Intelligence Center of 360 also reports that attackers use a compressed archive packed with thumbnails to receive the victims:
As provided, we captured more samples using this vulnerability in the coming days, and we also noticed some related APT attacks. Apparently, the attackers use this exploit in a more delicate way. For example, they embed many images and leverage the decompression target because they can not be scanned in the compressed archive, encrypt the malicious ACE file before they are delivered, and so on.
To help mitigate the attacks, and the update is announced for WinRAR that lowers support for the slightly-used ACE format and removes the vulnerable UNACEV2.DLL file. In the release of WinRAR 5.70, RAR Labs explained:
WinRAR has always been known for its widespread support for all popular compression formats. A recent Check Point Software report revealed a potential security vulnerability in the UNACEV2.DLL library that was used in earlier versions of WinRAR to decompress ACE archives. No attacks have been reported so far, but to provide WinRAR users with a stable and clean version, the final version of WinRAR 5.70 has been released. Since UNACEV2.DLL was not updated since 2005 and access to its source code is not available, it was decided to reduce the support of the ACE archive starting with WinRAR 5.70. Now, after the launch of the final and stable version of WinRAR 5.70, it's highly recommended to upgrade immediately to the new version 5.70.
For users who are not interested in upgrading or who do not find a localized version of WinRAR 5.70, however, the advice of win.rar GmbH is to delete the UNACEV2.DLL file from their current WinRAR version to be securely protected again. All users of WinRAR 5.10 or any later version can find the UNACEV2.DLL file in the WinRAR folder. WinRAR users of versions 5.10 older may find the UNACEV2.DLL file in the Formats subfolder in the WinRAR program.
The problem, however, is that while WinRAR is installed on many systems, it is a sharing tool that many users have installed for occasional use only, and such people are unlikely to be aware that there is a security issue that requires an update to is installed.
Image credit: Studio_G / Shutterstock