HomeWinBuzzer NewsUpdate WinRAR 'Right Away' Warn Security Analysts as New Attacks Surface

Update WinRAR ‘Right Away’ Warn Security Analysts as New Attacks Surface

A previously discovered WinRAR exploit is still being exploited in the wild, with attackers installing spyware, backdoors, and ransomware when user's extract files.


Security analysts are warning users to update WinRAR immediately as a flood of new dangerous new attacks surface. Utilizing CVE-2018-20250, a 19-year-old flaw spotted in February, can gain remote access to PCs, install ransomware, or spy on bank details.

According to FireEye, a number of new campaigns have sprung up utilizing the vulnerability, attacking the Israeli Military, installing VBS backdoors, and deploying malware.

“CVE-2018-20250[…]enables attackers to specify arbitrary destinations during file extraction of ‘ACE' formatted files, regardless of user input,” explains FireEye. “Attackers can easily achieve persistence and code execution by creating malicious archives that extract files to sensitive locations, like the Windows ‘Startup' Start Menu folder.”

The first campaign disguises itself as an educational accreditation council. When users extract a file named Scan_Letter_of_Approval.rar, a VBScript file is created. After being transferred to the startup folder, it opens a backdoor in the system.

Meanwhile, an attack on the Israeli military industry is disguised as Sys-Aid documentation. In then deploys payload ekrnview.exe to the startup folder. The third attack method was found in Ukraine, a file called zakon.rar used to instigate the Empire backdoor.

Finally, a .rar of decoy credit card dumps installs a RAT and password stealers on the user's system. This one contains a number of different payloads that are detectable by VirusTotal.

Manual Update Required

As you can tell, attackers are having a field day with this exploit, and there's a good reason. Unlike other software, WinRAR requires manual updates. To advance the version, you must download the latest copy from the official site.

As a result, many users have outdated copies of the software and are a prime target for the exploit. Both FireEye and Kaspersky recommend users update to version 5.70 or higher. As always, you should never open archives from unknown senders.

You can check your WinRAR version by clicking ‘Help>About WinRAR' in your app.

Last Updated on April 9, 2020 10:43 am CEST

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News