Blog Other Blogs McAfee Labs Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)

Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)

Craig Schmugar

Mar 14, 2019

3 MIN READ

Earlier this month Check Point Research reported discovery of a 19 year old code execution vulnerability in the wildly popular WinRAR compression tool. Rarlab reports that that are over 500 million users of this program. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable systems before they can be patched.

One recent example piggybacks on a bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “Ariana_Grande-thank_u,_next(2019)_[320].rar”

When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run.

Figure 1 – Malformed Archive detected by McAfee as CVE2018-20250!4A63011F5B88
SHA256: e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec

Figure 2 – Extracted non-malicious MP3 files

Figure 3 – Extracted Malware payload detected by McAfee as Generic Trojan.i
SHA256: A1C06018B4E331F95A0E33B47F0FAA5CB6A084D15FEC30772923269669F4BC91

In the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting, with most of the initial targets residing in the United States at the time of writing.

 

McAfee advises users to keep their anti-malware signatures up to date at all times. McAfee products detect known and unknown malformed ACE files exploiting the vulnerability as CVE2018-20250![Partial hash] starting with the following content

  • V2 DATs version 9183 released March 2, 2019
  • V3 DATs version 3634 released March 2, 2019

Additional GTI coverage exists for email-based attacks, in tandem with the Suspicious Attachment feature. When this feature is enabled, Artemis![Partial hash] detections will occur on known exploits.

Update: An earlier version of this article used the phrase User Access Control (UAC) which has now been changed to User Account Control (UAC) and the term “bypass” which has now been changed to “does not apply.”

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS
Craig Schmugar

Craig Schmugar is a Sr. Principal Engineer at McAfee. Since joining McAfee in 2000 he has worked in different areas of research, from Malware Operations to Innovation Research. More recently...

More from McAfee Labs

SpyLoan: A Global Threat Exploiting Social Engineering
Authored by: Fernando Ruiz The McAfee mobile research team recently identified a significant global increase of SpyLoan,...

Nov 25, 2024   |   16 MIN READ

Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation
Authored by: M. Authored by: M, Mohanasundaram and Neil Tyagi In today’s rapidly evolving cyber landscape, malware...

Nov 20, 2024   |   18 MIN READ

The Dark Side of Gen AI
There’s no denying that Generative Artificial Intelligence (GenAI) has been one of the most significant technological developments...

Nov 18, 2024   |   5 MIN READ

Behind the CAPTCHA: A Clever Gateway of Malware
Authored by Yashvi Shah and Aayush Tyagi Executive summary McAfee Labs recently observed an infection chain where...

Sep 20, 2024   |   8 MIN READ

Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware
Authored by Neil Tyagi In cybersecurity, threats constantly evolve, and new ways to exploit unsuspecting users are...

Sep 19, 2024   |   14 MIN READ

New Android SpyAgent Campaign Steals Crypto Credentials via Image Recognition
Authored by SangRyol Ryu Recently, McAfee’s Mobile Research Team uncovered a new type of mobile malware that...

Sep 05, 2024   |   10 MIN READ

The Scam Strikes Back: Exploiting the CrowdStrike Outage
Authored by Lakshya Mathur, Vallabh Chole & Abhishek Karnik Recently we witnessed one of the most significant...

Jul 30, 2024   |   5 MIN READ

Olympics Has Fallen – A Misinformation Campaign Featuring a Voice Cloned Elon Musk
Authored by Lakshya Mathur and Abhishek Karnik As the world gears up for the 2024 Paris Olympics,...

Jul 26, 2024   |   6 MIN READ

ClickFix Deception: A Social Engineering Tactic to Deploy Malware
Authored by Yashvi Shah and Vignesh Dhatchanamoorthy McAfee Labs has discovered a highly unusual method of malware...

Jul 11, 2024   |   9 MIN READ

Quality Over Quantity: the Counter-Intuitive GenAI Key
It’s been almost two years since OpenAI launched ChatGPT, driving increased mainstream awareness of and access to...

Jun 28, 2024   |   3 MIN READ

Fake Bahrain Government Android App Steals Personal Data Used for Financial Fraud
Authored by Dexter Shin Many government agencies provide their services online for the convenience of their citizens....

May 31, 2024   |   7 MIN READ

How Scammers Hijack Your Instagram
Authored by Vignesh Dhatchanamoorthy, Rachana S Instagram, with its vast user base and dynamic platform, has become...

May 14, 2024   |   6 MIN READ

Back to top