CVE Number – CVE-2018-20250

The FireEye website has released a report on four malware campaigns that are utilizing a vulnerability in WinRAR ( CVE-2018-20250 ) that allows code execution on the target machine.

Details

WinRAR could allow a remote attacker to execute arbitrary code on the system, caused by a directory traversal in the functionality of the ACE Handler component. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system with elevated privileges.

Further technical details – https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html

Campaign 1: Impersonating an Educational Accreditation Council

The initial infection vector likely sources from a phishing email that contains an archive named “Scan_Letter_of_Approval.rar” that extracts winSrvHost.vbs into the victim’s startup folder. This VBScript file opens a backdoor into the system complete with command and control to the attacker’s server. The main function of this script is to download and execute more malware issued by the attacker.

Campaign 2: Attack on Israeli Military Industry

The nitial infection vector likely sources from a phishing email that contains an archive named “SysAid-Documentation.rar”. FireEye notes that when looking at the email headers of the email, they “believe this is an attack on an Israeli military company”. This archive extracts a file “ekrnview.exe” to the Windows startup folder of the victim’s system. This malware is dubbed “SappyCache” by FireEye and is used to download and execute more malware to the system. This malware includes HTTP-based communication back to the attacker’s servers.

Campaign 3: Potential Attack in Ukraine with Empire Backdoor

The initial infection vector likely sources from a phishing email that contains an archive named “zakon.rar”. This file contains the document “Ukraine.pdf” which contains a message on the law of Ukraine about public-private partnerships that purports to be a message from Viktor Yanukovych, former president of Ukraine. This file also drops a file named “mssconf.bat” into the Windows startup folder. This file contains base64-encoded PowerShell commands that download the Empire Backdoor malware.

Campaign 4: Credential and Credit Card Dumps as Decoys

The nitial infection vector appears to source from stolen credit card “dumps” that contain a file “leaks copy.rar”, or “cc.rar”. FireEye notes that this campaign utilizes various malware as It’s second stage payload.

Indicators of Compromise

Scan_Letter_of_Approval.rar	8e067e4cda99299b0bf2481cc1fd8e12
winSrvHost.vbs	3aabc9767d02c75ef44df6305bc6a41f
Letter of Approval.pdf	dc63d5affde0db95128dac52f9d19578
pwi_crs.exe	12def981952667740eb06ee91168e643
C2	185[.]162.131.92
Netwire C2	89[.]34.111.113

SysAid-Documentation.rar	062801f6fdbda4dd67b77834c62e82a4
SysAid-Documentation.rar	49419d84076b13e96540fdd911f1c2f0
ekrnview.exe	96986B18A8470F4020EA78DF0B3DB7D4
Thumbs.db.lnk	31718d7b9b3261688688bdc4e026db99
URL1	www.alahbabgroup[.]com/bakala/verify.php
URL2	103.225.168[.]159/admin/verify.php
URL3	www.khuyay[.]org/odin_backup/public/loggoff.php
URL4	47.91.56[.]21/verify.php
Email	8c93e024fc194f520e4e72e761c0942d

zakon.rar	9b19753369b6ed1187159b95fc8a81cd
mssconf.bat	79B53B4555C1FB39BA3C7B8CE9A4287E
C2	31.148.220[.]53
URL	http://tiny-share[.]com/direct/7dae2d144dae4447a152bef586520ef8

leaks copy.rar	e9815dfb90776ab449539a2be7c16de5
cc.rar	9b81b3174c9b699f594d725cf89ffaa4
zabugor.rar	914ac7ecf2557d5836f26a151c1b9b62
zabugorV.rar	eca09fe8dcbc9d1c097277f2b3ef1081
Combolist.rar	1f5fa51ac9517d70f136e187d45f69de
Nulled2019.rar	f36404fb24a640b40e2d43c72c18e66b
IT.rar	0f56b04a4e9a0df94c7f89c1bccf830c

explorer.exe	1BA398B0A14328B9604EEB5EBF139B40	QuasarRAT
explorer.exe	AAC00312A961E81C4AF4664C49B4A2B2	Azorult
IntelAudio.exe	2961C52F04B7FDF7CCF6C01AC259D767	Netwire
Discord.exe	97D74671D0489071BAA21F38F456EB74	Razy
Discord.exe	BCC49643833A4D8545ED4145FB6FDFD2	Buzy
old.exe	119A0FD733BC1A013B0D4399112B8626	Azorult