CVE Number – CVE-2018-20250
The FireEye website has released a report on four malware campaigns that are utilizing a vulnerability in WinRAR ( CVE-2018-20250 ) that allows code execution on the target machine.
WinRAR could allow a remote attacker to execute arbitrary code on the system, caused by a directory traversal in the functionality of the ACE Handler component. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.
Further technical details – https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html
Campaign 1: Impersonating an Educational Accreditation Council
The initial infection vector likely sources from a phishing email that contains an archive named “Scan_Letter_of_Approval.rar” that extracts winSrvHost.vbs into the victim’s startup folder. This VBScript file opens a backdoor into the system complete with command and control to the attacker’s server. The main function of this script is to download and execute more malware issued by the attacker.
Campaign 2: Attack on Israeli Military Industry
The nitial infection vector likely sources from a phishing email that contains an archive named “SysAid-Documentation.rar”. FireEye notes that when looking at the email headers of the email, they “believe this is an attack on an Israeli military company”. This archive extracts a file “ekrnview.exe” to the Windows startup folder of the victim’s system. This malware is dubbed “SappyCache” by FireEye and is used to download and execute more malware to the system. This malware includes HTTP-based communication back to the attacker’s servers.
Campaign 3: Potential Attack in Ukraine with Empire Backdoor
The initial infection vector likely sources from a phishing email that contains an archive named “zakon.rar”. This file contains the document “Ukraine.pdf” which contains a message on the law of Ukraine about public-private partnerships that purports to be a message from Viktor Yanukovych, former president of Ukraine. This file also drops a file named “mssconf.bat” into the Windows startup folder. This file contains base64-encoded PowerShell commands that download the Empire Backdoor malware.
Campaign 4: Credential and Credit Card Dumps as Decoys
The nitial infection vector appears to source from stolen credit card “dumps” that contain a file “leaks copy.rar”, or “cc.rar”. FireEye notes that this campaign utilizes various malware as It’s second stage payload.
Indicators of Compromise
|Letter of Approval.pdf||dc63d5affde0db95128dac52f9d19578|