Sunday, February 9, 2025
HomeComputer SecurityFirst Malware Campaign Exploits WinRAR ACE vulnerability To Hack Windows Computer

First Malware Campaign Exploits WinRAR ACE vulnerability To Hack Windows Computer

Published on

SIEM as a Service

Follow Us on Google News

Researchers have detected the first malspam campaign that delivers a malicious RAR archive to infect victim’s computer exploiting the WinRAR ACE vulnerability.

The 19-year-old vulnerability was disclosed by checkpoint security researchers last week, the vulnerability resides in the WinRAR UNACEV2.DLL library.

This vulnerability can be exploited by an attacker with specially crafted ACE archive and to extract the file in windows startup folder to gain the persistence and to get launched automatically once the user logged in to the computer.

First Malspam Campaign

360 Threat intelligence center detected a malspam campaign that delivers a malcious RAR archive by exploiting this vulnerability.The backdoor is generated MSF and it extracts to user’s startup folder.

Based on analysis the malware fails to execute due to lack of permissions if UAC is running in the machine, the extraction fails with the error “Access is denied” and “operation failed”.

Training Course: Certified Cyber Threat Intelligence Analysts course that we’ll introduce you to the 8 phases of threat intelligence.

If the UAC is disabled or the WinRAR running with the admin privileges then the malware will get extract to the user’s Startup folder C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup\CMSTray.exe and it will execute with the user’s next login.

  • The malware gets extracted to CMSTray.exe and it will be launched upon next login
  • Once the malware launched it copies the CMSTray.exe file to %Temp%\wbssrv.exe and the executable get’s executed.
  • Upon execution, it connects with the following 138.204.171.108 and downloads various tools including the including the asynchronous post-exploitation agent Cobalt Strike Beacon.
  • Once the DLL got loaded the attackers able to obtain remote connection over the victim’s machine and run’s various commands.

If you have not yet updated the WinRAR, it’s time to update with the latest version of the WinRAR(WinRAR 5.70 beta 1).

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

UK Pressures Apple to Create Global Backdoor To Spy on Encrypted iCloud Access

United Kingdom has reportedly ordered Apple to create a backdoor allowing access to all...

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...