Jump to content
Login new information ×
Login new information

WinRAR File Extension Spoofing vulnerability allows Hackers to Hide Malware

Reefa

By Reefa
in Security & Privacy News

 Share

Recommended Posts

Reefa

Reefa

Posted
Posted

winrar-malware.jpg

Imagine, You Open a Winrar archive of MP3 files, but what if it will install a malware into your system when you play anyone of them.

WinRAR, a widely used file archiver and data compression utility helps hackers to distribute malicious code. Israeli security researcher Danor Cohen (An7i) discovered the WinRAR file extension spoofing vulnerability.

WinRAR file extension spoofing vulnerability allows hackers to modify the filename and extension inside the traditional file archive, that helps them to hide binary malicious code inside an archive, pretending itself as '.jpg' , '.txt' or any other format.

Using a Hex editor tool, he analysed a ZIP file and noticed that winrar tool also adds some custom properties to an archive, including two names - First name is the original filename (FAX.png) and second name is the filename (FAX.png) that will appear at the WINRAR GUI window.

Danor manipulated the second filename and extension to prepare a special ZIP archive, that actually include a malware file "FAX.exe", but displaying itself as "FAX.png" to the user.

winrar-malware.png

Cyber intelligence company, IntelCrawler also published a report, which revealed that cybercriminals specialized in cyber espionage attacks are using this zero-day vulnerability in the wild to target several aerospace corporations, military subcontractors, embassies, as well as Fortune Global 500 companies.
Using this technique, an attacker can drop any malware in very convincing manner to the victim's system. "Using this method the bad actors bypass some specific security measures including e-mail server’s antivirus systems" IntelCrawler said.
Danor successfully exploited winrar version 4.20, and IntelCrawler confirmed that the vulnerability also works on all WinRar versions including v.5.1.
"One of the chosen tactics includes malicious fake CV distribution and FOUO (For Official Use Only)-like documents, including fax scanned messages"

Using social engineering techniques, attacker are targeting high profile victims with spear phishing mails, "Most of sent malicious attachments are hidden as graphical files, but password protected in order to avoid antivirus or IDS/IPS detection." IntelCrawler reported.
spear-phishing-malware.png
In above example, the Malware archive file was password protected to avoid antivirus detection, used in an ongoing targeted cyber espionage campaign.

Researchers found Zeus-like Trojan as an attachment, which has ability to establish remote administration channel with the infected victim, gather passwords and system information, then send the collected and stolen data to the Command & Control server hosted in Turkey (IP 185.9.159.211, Salay Telekomünikasyon).

Users are advised to use an alternative archiving software and avoid opening archives with passwords even if it has legitimate files.
Link to comment
Share on other sites
  • Replies 5
  • Views 1.8k
  • Created
  • Last Reply

Top Posters In This Topic

  • rudrax

    1

  • dcs18

    1

  • Reefa

    1

  • MOT

    1

Popular Days

Top Posters In This Topic

Popular Days

dcs18

dcs18

Posted
Posted
WinRAR File Extension Spoofing vulnerability allows Hackers to Hide Malware

In the first figure I see a WinZip file - not WinRAR (Mohit Kumar was not in his element when he wrote this article.) ;)

Link to comment
Share on other sites
killbit

killbit

Posted
Posted

In the first figure I see a WinZip file - not WinRAR (Mohit Kumar was not in his element when he wrote this article.)

Did you not read the article? The problem is with the software itself, not the compression format.

Link to comment
Share on other sites
  • 5 weeks later...
matekudasai115

matekudasai115

Posted
Posted

WinRAR 4.20 is vulnerable to ZIP file name spoofing. Please upgrade to WinRAR 5.00 release or later, which are not vulnerable.
Source

Link to comment
Share on other sites
rudrax

rudrax

Posted
Posted
WinRAR File Extension Spoofing vulnerability allows Hackers to Hide Malware

In the first figure I see a WinZip file - not WinRAR (Mohit Kumar was not in his element when he wrote this article.) ;)

The element where he was, was "high" :tooth:

Link to comment
Share on other sites
MOT

MOT

Posted
Posted (edited)

Great article, the coincidence for me is that last night I d/led the 'Alan Parsons project the complete albums collection 2014 mp3 320kbps beolab1700.torrent'. Everything was cool, I unrared the archive and was listening to the tunes! The archive had a file caled 'Alan parsons project discology.wmv', I was thinking great, bonus time, I get a video too! I dbl-clicked the video file and the video didnt do anything, anything that is except try to infect me! I noticed 'AppGuards' Icon flashing in the tray area, when I investigated I found that the actual blocked file was something called 'games.dll.exe' and that it was launched from the 'guarded' [guarded, as in guarded by AppGuard] program PotPlayer when launching the video file 'Alan parsons project discology.wmv' The so-called video file was really an .exe! Whether or not the CHIT I encountered was related specifically to 'Extension Spoofing vulnerability', or not, the symptoms were sure the same. The potential for infection was just as great too, thanks to AppGuard it didnt happen![to me].

Edited by MOT
Link to comment
Share on other sites
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...