WinRAR Zero-day Abused In Multiple Campaigns [CVE-2018-20250]

CVE Number – CVE-2018-20250

The FireEye website has released a report on four malware campaigns that are utilizing a vulnerability in WinRAR ( CVE-2018-20250 ) that allows code execution on the target machine.

Details

WinRAR could allow a remote attacker to execute arbitrary code on the system, caused by a directory traversal in the functionality of the ACE Handler component. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.

Further technical details – https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html

Campaign 1: Impersonating an Educational Accreditation Council

The initial infection vector likely sources from a phishing email that contains an archive named “Scan_Letter_of_Approval.rar” that extracts winSrvHost.vbs into the victim’s startup folder. This VBScript file opens a backdoor into the system complete with command and control to the attacker’s server. The main function of this script is to download and execute more malware issued by the attacker.

Campaign 2: Attack on Israeli Military Industry

The nitial infection vector likely sources from a phishing email that contains an archive named “SysAid-Documentation.rar”. FireEye notes that when looking at the email headers of the email, they “believe this is an attack on an Israeli military company”. This archive extracts a file “ekrnview.exe” to the Windows startup folder of the victim’s system. This malware is dubbed “SappyCache” by FireEye and is used to download and execute more malware to the system. This malware includes HTTP-based communication back to the attacker’s servers.

Campaign 3: Potential Attack in Ukraine with Empire Backdoor

The initial infection vector likely sources from a phishing email that contains an archive named “zakon.rar”. This file contains the document “Ukraine.pdf” which contains a message on the law of Ukraine about public-private partnerships that purports to be a message from Viktor Yanukovych, former president of Ukraine. This file also drops a file named “mssconf.bat” into the Windows startup folder. This file contains base64-encoded PowerShell commands that download the Empire Backdoor malware.

Campaign 4: Credential and Credit Card Dumps as Decoys

The nitial infection vector appears to source from stolen credit card “dumps” that contain a file “leaks copy.rar”, or “cc.rar”. FireEye notes that this campaign utilizes various malware as It’s second stage payload.

Indicators of Compromise

Scan_Letter_of_Approval.rar 8e067e4cda99299b0bf2481cc1fd8e12
winSrvHost.vbs 3aabc9767d02c75ef44df6305bc6a41f
Letter of Approval.pdf dc63d5affde0db95128dac52f9d19578
pwi_crs.exe 12def981952667740eb06ee91168e643
C2 185[.]162.131.92
Netwire C2 89[.]34.111.113
SysAid-Documentation.rar 062801f6fdbda4dd67b77834c62e82a4 
SysAid-Documentation.rar 49419d84076b13e96540fdd911f1c2f0
ekrnview.exe 96986B18A8470F4020EA78DF0B3DB7D4
Thumbs.db.lnk 31718d7b9b3261688688bdc4e026db99
URL1 www.alahbabgroup[.]com/bakala/verify.php
URL2 103.225.168[.]159/admin/verify.php
URL3 www.khuyay[.]org/odin_backup/public/loggoff.php
URL4 47.91.56[.]21/verify.php
Email 8c93e024fc194f520e4e72e761c0942d
zakon.rar 9b19753369b6ed1187159b95fc8a81cd
mssconf.bat 79B53B4555C1FB39BA3C7B8CE9A4287E
C2 31.148.220[.]53
URL http://tiny-share[.]com/direct/7dae2d144dae4447a152bef586520ef8
leaks copy.rar e9815dfb90776ab449539a2be7c16de5
cc.rar 9b81b3174c9b699f594d725cf89ffaa4
zabugor.rar 914ac7ecf2557d5836f26a151c1b9b62
zabugorV.rar eca09fe8dcbc9d1c097277f2b3ef1081 
Combolist.rar 1f5fa51ac9517d70f136e187d45f69de
Nulled2019.rar f36404fb24a640b40e2d43c72c18e66b
IT.rar 0f56b04a4e9a0df94c7f89c1bccf830c
explorer.exe 1BA398B0A14328B9604EEB5EBF139B40 QuasarRAT
explorer.exe AAC00312A961E81C4AF4664C49B4A2B2 Azorult
IntelAudio.exe 2961C52F04B7FDF7CCF6C01AC259D767 Netwire
Discord.exe 97D74671D0489071BAA21F38F456EB74 Razy
Discord.exe BCC49643833A4D8545ED4145FB6FDFD2 Buzy
old.exe 119A0FD733BC1A013B0D4399112B8626 Azorult

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: