Jump to Content
Threat Intelligence

WinRAR Zero-day Abused in Multiple Campaigns

March 26, 2019
Mandiant

Written by: Dileep Kumar Jallepalli


WinRAR, an over 20-year-old file archival utility used by over 500 million users worldwide, recently acknowledged a long-standing vulnerability in its code-base. A recently published path traversal zero-day vulnerability, disclosed in CVE-2018-20250 by Check Point Research, enables attackers to specify arbitrary destinations during file extraction of ‘ACE’ formatted files, regardless of user input. Attackers can easily achieve persistence and code execution by creating malicious archives that extract files to sensitive locations, like the Windows “Startup” Start Menu folder. While this vulnerability has been fixed in the latest version of WinRAR (5.70), WinRAR itself does not contain auto-update features, increasing the likelihood that many existing users remain running out-of-date versions.

FireEye has observed multiple campaigns leveraging this vulnerability, in addition to those already discussed by 360 Threat Intelligence Center. Below we will look into some campaigns we came across that used customized and interesting decoy documents with a variety of payloads including ones which we have not seen before and the ones that used off-the-shelf tools like PowerShell Empire.

Campaign 1: Impersonating an Educational Accreditation Council

Infection Vector

When the ACE file Scan_Letter_of_Approval.rar is extracted with vulnerable WinRAR versions lower than 5.70, it creates a file named winSrvHost.vbs in the Windows Startup folder without the user’s consent. The VBScript file is executed the next time Windows starts up.

Decoy Document

To avoid user suspicion, the ACE file contains a decoy document, “Letter of Approval.pdf”, which purports to be from CSWE, the Council on Social Work Education as shown in Figure 1. This seems to be copied from CSWE website.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar1_jkwe.max-1000x1000.png

Figure 1: Decoy document impersonating CSWE

VBS Backdoor

The VBS file in the Startup folder will be executed by wscript.exe when Windows starts up. The VBS code first derives an ID for the victim using custom logic based on a combination of the ComputerName, Processor_identifier and Username. It obtains these from environment strings, as shown in Figure 2.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar2.max-1000x1000.png

Figure 2: Deriving victim ID

Interestingly, the backdoor communicates with the command and control (C2) server using the value of the Authorization HTTP header using the code in Figure 3.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar3.max-1000x1000.png

Figure 3: Base64-encoded data in Authorization header

The VBS backdoor first sends the base64-encoded data, including the victim ID and the ComputerName, using the code in Figure 4.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar4.max-1000x1000.png

Figure 4: Base64-encoded victim data

It then extracts the base64-encoded data in the Authorization header of the HTTP response from the C2 server and decodes it. The decoded data starts with the instruction code from the C2 server, followed with additional parameters.

C2 Communication

The malware reaches out to the C2 server at 185[.]162.131.92 via an HTTP request. Actual communication is via the Authorization field, as shown in Figure 5.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar5.max-1000x1000.png

Figure 5: Communication via Authorization field

Upon decoding the value of the Authorization field, it can be seen that the malware is sending the Victim ID and the computer name to the C2 server. The C2 server responds with the commands in the value of the Authorization HTTP header, as shown in Figure 6.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar6_ndjl.max-700x700.png

Figure 6: C2 commands in Authorization field

Upon decoding, the commands are found to be “ok ok”, which we believe is the default C2 command. After some C2 communication, the C2 server responded with instructions to download the payload from hxxp://185.49.71[.]101/i/pwi_crs.exe, which is a Netwire RAT.

Commands Supported by VBS Backdoor

 

Command Explanation
d Delete the VBS file and exit process
Pr Download a file from a URL and execute it
Hw Get hardware info
av Look for antivirus installed from a predefined list.
Indicators

 

File Name Hash/IP Address
Scan_Letter_of_Approval.rar 8e067e4cda99299b0bf2481cc1fd8e12
winSrvHost.vbs 3aabc9767d02c75ef44df6305bc6a41f
Letter of Approval.pdf dc63d5affde0db95128dac52f9d19578
pwi_crs.exe 12def981952667740eb06ee91168e643
C2 185[.]162.131.92
Netwire C2 89[.]34.111.113

Campaign 2: Attack on Israeli Military Industry

Infection Vector

Based on the email uploaded to VirusTotal, the attacker seems to send a spoofed email to the victim with an ACE file named SysAid-Documentation.rar as an attachment. Based on the VirusTotal uploader and the email headers, we believe this is an attack on an Israeli military company.

Decoy Files

The ACE file contains decoy files related to documentation for SysAid, a help desk service based in Israel. These files are shown as they would be displayed in WinRAR in Figure 7.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar7.max-1000x1000.png

Figure 7: Decoy files

Thumbs.db.lnk

This LNK file target is ‘C:\Users\john\Desktop\100m.bat’. But when we look at the icon location using a LNK parser, as shown in Figure 8, it points to an icon remotely hosted on one of the C2 servers, which can be used to steal NTLM hashes.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar8.max-1000x1000.png

Figure 8: LNK parser output

SappyCache Analysis

Upon extraction, WinRAR copies a previously unknown payload we call SappyCache to the Startup folder with the file name ‘ekrnview.exe’. The payload is executed the next time Windows starts up.

SappyCache tries to fetch the next-stage payload using three approaches:

1) Decrypting a File: The malware tries to read the file at %temp%\..\GuiCache.db. If it is successful, it tries to decrypt it using RC4 to get the C2 URLs, as shown in Figure 9.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar9_uhtw.max-600x600.png

Figure 9: Decrypting file at GuiCache.db

2) Decrypting a Resource: If it is not successful in retrieving the C2 URL using the previous method, the malware tries to retrieve the encrypted C2 URLs from a resource section, as shown in Figure 10. If it is successful, it will decrypt the C2 URLs using RC4.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar10_oqyh.max-800x800.png

Figure 10: Decrypting a resource

3) Retrieving From C2: If it is not successful in retrieving the C2 URLs using those previous two methods, the malware tries to retrieve the payload from four different hardcoded URLs mentioned in the indicators. The malware creates the HTTP request using the following information:

  • Computer Name, retrieved using the GetComputerNameA function, as the HTTP parameter ‘name’ (Figure 11).
https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar11.max-600x600.png

Figure 11: Retrieving computer name using GetComputerNameA

  • Windows operating system name, retrieved by querying the ProductName value from the registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion, as the HTTP parameter ‘key’ (Figure 12).
https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar12_cfll.max-900x900.png

Figure 12: Retrieving Windows OS name using ProductName value

  • The module name of the malware, retrieved using the GetModuleFileNameA function, as the HTTP parameter ‘page’ (Figure 13).
https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar13.max-600x600.png

Figure 13: Retrieving malware module name using using GetModuleFileNameA

  • The list of processes and their module names, retrieved using the Process32First and Module32First APIs, as the HTTP parameter ‘session_data’ (Figure 14).
https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar14_efqz.max-1000x1000.png

Figure 14: Retrieving processes and modules using Process32First and Module32First

A fragment of the HTTP request that is built with the information gathered is shown in Figure 15.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar15.max-1000x1000.png

Figure 15: HTTP request fragment

If any of the aforementioned methods is successful, the malware tries to execute the decrypted payload. During our analysis, the C2 server did not respond with a next-level payload.

Indicators

 

File Name/Type Hash/URL
SysAid-Documentation.rar 062801f6fdbda4dd67b77834c62e82a4
SysAid-Documentation.rar 49419d84076b13e96540fdd911f1c2f0
ekrnview.exe 96986B18A8470F4020EA78DF0B3DB7D4
Thumbs.db.lnk 31718d7b9b3261688688bdc4e026db99
URL1 www.alahbabgroup[.]com/bakala/verify.php
URL2 103.225.168[.]159/admin/verify.php
URL3 www.khuyay[.]org/odin_backup/public/loggoff.php
URL4 47.91.56[.]21/verify.php
Email 8c93e024fc194f520e4e72e761c0942d

Campaign 3: Potential Attack in Ukraine with Empire Backdoor

Infection Vector

The ACE file named zakon.rar is propagated using a malicious URL mentioned in the indicators. 360 Threat Intelligence Center has also encountered this campaign.

Decoy Documents

The ACE file contains a file named Ukraine.pdf, which contains a message on the law of Ukraine about public-private partnerships that purports to be a message from Viktor Yanukovych, former president of Ukraine (Figure 16 and Figure 17).

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar16.max-900x900.png

Figure 16: Ukraine.pdf decoy file

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar17_fsyp.max-1000x1000.png

Figure 17: Contents of decoy file

Based on the decoy PDF name, the decoy PDF content and the VirusTotal uploader, we believe this is an attack on an individual in Ukraine.

Empire Backdoor

When the file contents are extracted, WinRAR drops a .bat file named mssconf.bat in the Startup folder. The batch file contains commands that invoke base64-encoded PowerShell commands. After decoding, the PowerShell commands invoked are found to be the Empire backdoor, as shown in Figure 18. We did not observe any additional payloads at the time of analysis.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar18.max-900x900.png

Figure 18: Empire backdoor

Indicators

 

File Name/URL Hash/URL
zakon.rar 9b19753369b6ed1187159b95fc8a81cd
mssconf.bat 79B53B4555C1FB39BA3C7B8CE9A4287E
C2 31.148.220[.]53
URL http://tiny-share[.]com/direct/7dae2d144dae4447a152bef586520ef8

Campaign 4: Credential and Credit Card Dumps as Decoys

Decoy Documents

This campaign uses credential dumps and likely stolen credit card dumps as decoy documents to distribute different types of RATs and password stealers.

One file, ‘leaks copy.rar’, used text files that contained stolen email IDs and passwords as decoys. These files are shown as they would be displayed in WinRAR in Figure 19.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar19_cuqx.max-1000x1000.png

Figure 19: Text files containing stolen email credentials as decoy

Another file, ‘cc.rar’, used a text file containing stolen credit card details as a decoy. The file as it would be displayed in WinRAR and sample contents of the decoy file are shown in Figure 20.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar20_zcmq.max-1000x1000.png

Figure 20: Text file containing stolen credit card details as decoy

Payloads

This campaign used payloads from different malware families. To keep the draft concise, we did not include the analysis of all of them. The decompilation of one of the payloads with hash 1BA398B0A14328B9604EEB5EBF139B40 shows keylogging capabilities (Figure 21). We later identified this sample as QuasarRAT.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar21_lnvv.max-600x600.png

Figure 21: Keylogging capabilities

The decompilation of all the .NET-based payload shows that much of the code is written in Chinese. The decompilation of malware with hash BCC49643833A4D8545ED4145FB6FDFD2 containing Chinese text is shown in Figure 22. We later identified this sample as Buzy.

https://storage.googleapis.com/gweb-cloudblog-publish/images/winrar22_kdmf.max-600x600.png

Figure 22: Code written in Chinese

The other payloads also have similar keylogging, password stealing and standard RAT capabilities. The VirusTotal submissions show the use of different malware families in this campaign and a wide range of targeting.

Hashes of ACE Files

 

File Name Hash
leaks copy.rar e9815dfb90776ab449539a2be7c16de5
cc.rar 9b81b3174c9b699f594d725cf89ffaa4
zabugor.rar 914ac7ecf2557d5836f26a151c1b9b62
zabugorV.rar eca09fe8dcbc9d1c097277f2b3ef1081
Combolist.rar 1f5fa51ac9517d70f136e187d45f69de
Nulled2019.rar f36404fb24a640b40e2d43c72c18e66b
IT.rar 0f56b04a4e9a0df94c7f89c1bccf830c
Hashes of Payloads

 

File name Hash Malware Family
explorer.exe 1BA398B0A14328B9604EEB5EBF139B40 QuasarRAT
explorer.exe AAC00312A961E81C4AF4664C49B4A2B2 Azorult
IntelAudio.exe 2961C52F04B7FDF7CCF6C01AC259D767 Netwire
Discord.exe 97D74671D0489071BAA21F38F456EB74 Razy
Discord.exe BCC49643833A4D8545ED4145FB6FDFD2 Buzy
old.exe 119A0FD733BC1A013B0D4399112B8626 Azorult
FireEye Detection

FireEye detection names for the indicators in the attack:

 

FireEye Endpoint Security

IOC: WINRAR (EXPLOIT)

MG: Generic.mg

AV:

  • Exploit.ACE-PathTraversal.Gen
  • Exploit.Agent.UZ
  • Exploit.Agent.VA
  • Gen:Heur.BZC.ONG.Boxter.91.1305E319
  • Gen:Variant.Buzy.2604
  • Gen:Variant.Razy.472302
  • Generic.MSIL.PasswordStealerA.5CBD94BB
  • Trojan.Agent.DPAS
  • Trojan.GenericKD.31783690
  • Trojan.GenericKD.31804183
FireEye Network Security
  • FE_Exploit_ACE_CVE201820250_2
  • FE_Exploit_ACE_CVE201820250_1
  • Backdoor.EMPIRE
  • Downloader.EMPIRE
  • Trojan.Win.Azorult
  • Trojan.Netwire
FireEye Email Security
  • FE_Exploit_ACE_CVE201820250_2
  • FE_Exploit_ACE_CVE201820250_1
  • FE_Backdoor_QUASARRAT_A
  • FE_Backdoor_EMPIRE

Conclusion

We have seen how various threat actors are abusing the recently disclosed WinRAR vulnerability using customized decoys and payloads, and by using different propagation techniques such as email and URL. Because of the huge WinRAR customer-base, lack of auto-update feature and the ease of exploitation of this vulnerability, we believe this will be used by more threat actors in the upcoming days.

Traditional AV solutions will have a hard time providing proactive zero-day detection for unknown malware families. FireEye MalwareGuard, a component of FireEye Endpoint Security, detects and blocks all the PE executables mentioned in this blog post using machine learning. It’s also worth noting that this vulnerability allows the malicious ACE file to write a payload to any path if WinRAR has sufficient permissions, so although the exploits that we have seen so far chose to write the payload to startup folder, a more involved threat actor can come up with a different file path to achieve code execution so that any behavior based rules looking for WinRAR writing to the startup folder can be bypassed. Enterprises should consider blocking vulnerable WinRAR versions and mandate updating WinRAR to the latest version.

FireEye Endpoint Security, FireEye Network Security and FireEye Email Security detect and block these campaigns at several stages of the attack chain.

Acknowledgement

Special thanks to Jacob Thompson, Jonathan Leathery and John Miller for their valuable feedback on this blog post.

Posted in