CVE-2018-20250 is a critical vulnerability in WinRAR, which has been estimated to have been a part of the software for 19 years or even more. The vulnerability even forced the development team to drop support for a file format.
This very same vulnerability which was disclosed publicly by Check Point has been exploited in the wild by a number of malicious campaigns, possibly by nation-state hackers as well. The flaw has been exploited with the purpose of planting malware on targeted systems.
The research initially revealed that there are multiple weaknesses in the extraction of several popular archive formats: RAR, LZH and ACE due to memory corruption. However, there was also a parsing error with the ACE format which led to the discovery that the outdated DLL file could be manipulated by malware as they do not have protective mechanism. A proof-of-concept demonstratrion showcased that by using a few simple parameters the whole program could be exploited.
Campaigns Using the CVE-2018-20250 Flaw Continue to Rise
Using crafted archive files computer hackers could trigger remote code execution sessions merely by making the users open them up — the dangerous files can be of different formats. The malicious code can be moved to the Startup Folders which means that it will be run automatically every time the computer is powered on. That’s what happened in the actual attacks.
There have been various spam campaigns based on the CVE-2018-20250 flaw, delivering different malicious payloads. Apparently, malicious archives were also sent to South Korean government agencies. Another highly targeted campaign utilized a phishing trick about United Nations and human rights to target users in the Middle East.
A recent report by McAfee reveals another lure where Ariana Grande is used to trick users into opening maliciously crafted archives that drop malware on their machines. The researchers have come across at least 100 unique exploits using the WinRAR flaw, and the attacks are highly likely to continue. Millions of users are using the program, and chances are many of them are running an outdated, unpatched version of it.