The 19-year-old vulnerability was disclosed by checkpoint security researchers last week, the v
This vulnerability can be exploited by an attacker with specially crafted ACE archive and to extract the file in windows startup folder to gain the persistence and to get launched automatically once the user logged in to the computer.
First Malspam Campaign
360 Threat intelligence center detected a malspam campaign that delivers a malcious RAR archive by exploiting this vulnerability.The backdoor is generated MSF and it extracts to user’s startup folder.
According to Bleeping Computer analysis the malware fails to execute due to lack of permissions if UAC is running in the machine, the extraction fails with the error “Access is denied” and “operation failed”.
If the UAC is disabled or the WinRAR running with the admin privileges then the malware will get extract to the
- The malware gets extracted to CMSTray.exe and it will be launched upon next login
- Once the malware launched it copies the CMSTray.exe file to %Temp%wbssrv.exe and the executable get’s executed.
- Upon execution, it connects with the following 220.127.116.11 and downloads various tools including the including the asynchronous post-exploitation agent Cobalt Strike Beacon.
- Once the DLL got loaded the attackers able to obtain remote connection over the victim’s machine and run’s various commands.
If you have not yet updated the WinRAR, it’s time to update with the latest version of the WinRAR(WinRAR 5.70 beta 1).