Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



WinRAR Vulnerability Exploited to Deliver New Malware

A recently patched vulnerability affecting the popular archiver utility WinRAR has been increasingly exploited by malicious actors, including to deliver new malware to targeted users.

A recently patched vulnerability affecting the popular archiver utility WinRAR has been increasingly exploited by malicious actors, including to deliver new malware to targeted users.

The security hole, tracked as CVE-2018-20250, impacts a library used by WinRAR for unpacking ACE archives. RARLab has removed the problematic library with the release of WinRAR 5.70 to prevent abuse, but many users have failed to update the application, allowing threat actors to continue launching attacks.

The flaw can be exploited via specially crafted ACE archives to extract a harmless file to the destination folder selected by the user, while also silently extracting a malicious file to a location specified by the attacker. An attacker can achieve arbitrary code execution by extracting malware to the Windows Startup folder, ensuring that it would get executed the next time the operating system boots.

The first attacks exploiting CVE-2018-20250 were observed just days after details of the flaw were made public. McAfee reported seeing over 100 unique exploits in the first week alone, with most targets being located in the U.S.

Other cybersecurity firms have seen attacks launched against Ukraine, the Middle East, and South Korea, and some of these operations have been attributed to advanced persistent threat (APT) actors.

Symantec reported on Wednesday that the WinRAR vulnerability had also been exploited by an Iran-linked cyber espionage group tracked as Elfin and APT33 in an attack aimed at a chemicals organization in Saudi Arabia.

FireEye has also monitored attacks and the company reported this week that it had spotted four campaigns, including ones that delivered new pieces of malware.

One of these operations, likely aimed at users in the United States, involves decoy documents apparently coming from the Council on Social Work Education (CSWE), a national association representing social work education in the U.S.

Advertisement. Scroll to continue reading.

The hackers copied an accreditation-related document from the CSWE website and sent it to targeted individuals inside an ACE file. When the document is extracted with WinRAR, CVE-2018-20250 is exploited to plant a VBS backdoor (winSrvHost.vbs) in the Windows Startup folder.

Once executed at the next system boot, the backdoor collects some information about the compromised machine and starts communicating with its command and control (C&C) server. The malware allows the attackers to download and execute files on the targeted device. In one instance it was used to deliver the Netwire RAT.

Dileep Kumar Jallepalli, research scientist at FireEye, told SecurityWeek that this VBS backdoor is a new piece of malware.

Another new piece of malware delivered via a WinRAR exploit was spotted in a campaign apparently targeting a company related to the Israeli military. The attackers sent out emails with an ACE archive containing documentation for SysAid, a helpdesk service based in Israel. The decoy files also included a shortcut file named Thumbs.db.lnk that could be used by the attacker to steal NTLM hashes from the system.

In the Startup folder, the attackers extract a new piece of malware that FireEye calls SappyCache. This malware also attempts to download and execute other files, but the C&C server did not respond with any payloads during the company’s analysis.

Another campaign involved archives storing stolen access credentials and payment card data. When the victim extracts these documents, one of several pieces of malware is extracted to their system. The list of payloads used in this operation includes QuasarRAT, Azorult, Netwire, Razy and Buzy, which allow attackers to steal data and take control of compromised systems.

The fourth campaign spotted by FireEye appeared to target Ukraine and it involved a PowerShell backdoor known as Empire. The same attack was previously documented by the 360 Threat Intelligence Center of Chinese cybersecurity firm Qihoo 360.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...