WinRAR, an over 20-year-old file archival utility used by over 500 million
users worldwide, recently acknowledged a long-standing
vulnerability in its code-base. A recently published path traversal
zero-day vulnerability, disclosed in CVE-2018-20250 by Check
Point Research, enables attackers
to specify arbitrary destinations during file extraction of ‘ACE’
formatted files, regardless of user input. Attackers can
easily achieve persistence and code execution by creating malicious
archives that extract files to sensitive locations,
like the Windows “Startup” Start Menu folder. While
this vulnerability has been fixed in the latest version of WinRAR
(5.70), WinRAR itself does not contain auto-update features,
increasing the likelihood that many existing users remain running
out-of-date versions.
FireEye has observed multiple campaigns leveraging this
vulnerability, in addition to those already discussed by 360
Threat Intelligence Center. Below we will look into some
campaigns we came across that used customized and interesting decoy
documents with a variety of payloads including ones which we have not
seen before and the ones that used off-the-shelf tools like PowerShell Empire.
Campaign 1: Impersonating an Educational Accreditation Council
Infection Vector: When the ACE file Scan_Letter_of_Approval.rar
is extracted with vulnerable WinRAR versions lower than 5.70, it
creates a file named winSrvHost.vbs in the Windows Startup folder
without the user’s consent. The VBScript file is executed the next
time Windows starts up.
Decoy Document: To avoid user suspicion, the ACE file contains
a decoy document, “Letter of Approval.pdf”, which purports to be from
CSWE, the Council on Social Work Education as shown in Figure 1. This
seems to be copied from CSWE website.
Figure 1: Decoy document impersonating CSWE
VBS Backdoor: The VBS file in the Startup folder will be
executed by wscript.exe when Windows starts up. The VBS code first
derives an ID for the victim using custom logic based on a combination
of the ComputerName, Processor_identifier and Username. It obtains
these from environment strings, as shown in Figure 2.
Figure 2: Deriving victim ID
Interestingly, the backdoor communicates with the command and
control (C2) server using the value of the Authorization HTTP header
using the code in Figure 3.
Figure 3: Base64-encoded data in
Authorization header
The VBS backdoor first sends the base64-encoded data, including the
victim ID and the ComputerName, using the code in Figure 4.
Figure 4: Base64-encoded victim data
It then extracts the base64-encoded data in the Authorization header
of the HTTP response from the C2 server and decodes it. The decoded
data starts with the instruction code from the C2 server, followed
with additional parameters.
C2 Communication
The malware reaches out to the C2 server at 185[.]162.131.92 via an
HTTP request. Actual communication is via the Authorization field, as
shown in Figure 5.
Figure 5: Communication via Authorization field
Upon decoding the value of the Authorization field, it can be seen
that the malware is sending the Victim ID and the computer name to the
C2 server. The C2 server responds with the commands in the value of
the Authorization HTTP header, as shown in Figure 6.
Figure 6: C2 commands in Authorization field
Upon decoding, the commands are found to be “ok ok”, which we
believe is the default C2 command. After some C2 communication, the C2
server responded with instructions to download the payload from
hxxp://185.49.71[.]101/i/pwi_crs.exe, which is a Netwire RAT.
Commands Supported by VBS Backdoor
Command |
Explanation |
d | Delete the VBS file and exit process |
Pr | Download a file from a URL and execute it
|
Hw | Get hardware info |
av | Look for antivirus installed from a predefined
list. |
Indicators
File Name |
Hash/IP Address |
Scan_Letter_of_Approval.rar
| 8e067e4cda99299b0bf2481cc1fd8e12 |
winSrvHost.vbs | 3aabc9767d02c75ef44df6305bc6a41f
|
Letter of Approval.pdf |
dc63d5affde0db95128dac52f9d19578 |
pwi_crs.exe | 12def981952667740eb06ee91168e643
|
C2 | 185[.]162.131.92 |
Netwire C2 | 89[.]34.111.113 |
Campaign 2: Attack on Israeli Military Industry
Infection Vector: Based on the email uploaded to VirusTotal,
the attacker seems to send a spoofed email to the victim with an ACE
file named SysAid-Documentation.rar as an attachment. Based on the
VirusTotal uploader and the email headers, we believe this is an
attack on an Israeli military company.
Decoy Files: The ACE file contains decoy files related to
documentation for SysAid, a help desk service based in Israel. These
files are shown as they would be displayed in WinRAR in Figure 7.
Figure 7: Decoy files
Thumbs.db.lnk: This LNK file target is
‘C:UsersjohnDesktop100m.bat’. But when we look at the icon
location using a LNK parser, as shown in Figure 8, it points to an
icon remotely hosted on one of the C2 servers, which can be used to
steal NTLM hashes.
Figure 8: LNK parser output
SappyCache Analysis: Upon extraction, WinRAR copies a
previously unknown payload we call SappyCache to the Startup folder
with the file name ‘ekrnview.exe’. The payload is executed the next
time Windows starts up.
SappyCache tries to fetch the next-stage payload using three approaches:
Decrypting a File at %temp%..GuiCache.db
The malware tries to read the file at %temp%..GuiCache.db. If it
is successful, it tries to decrypt it using RC4 to get the C2 URLs, as
shown in Figure 9.
Figure 9: Decrypting file at GuiCache.db
Decrypting a Resource
If it is not successful in retrieving the C2 URL using the previous
method, the malware tries to retrieve the encrypted C2 URLs from a
resource section, as shown in Figure 10. If it is successful, it will
decrypt the C2 URLs using RC4.
Figure 10: Decrypting a resource
Retrieving From C2
If it is not successful in retrieving the C2 URLs using those
previous two methods, the malware tries to retrieve the payload from
four different hardcoded URLs mentioned in the indicators. The malware
creates the HTTP request using the following information:
- Computer Name, retrieved
using the GetComputerNameA function, as the HTTP parameter ‘name’
(Figure 11).
Figure 11: Retrieving computer name using GetComputerNameA
- Windows operating system
name, retrieved by querying the ProductName value from the registry
key SOFTWAREMicrosoftWindows NTCurrentVersion, as the HTTP
parameter ‘key’ (Figure 12).
Figure 12: Retrieving Windows OS name
using ProductName value
- The module name of the
malware, retrieved using the GetModuleFileNameA function, as the
HTTP parameter ‘page’ (Figure 13).
Figure 13: Retrieving malware module name
using using GetModuleFileNameA
- The list of processes and
their module names, retrieved using the Process32First and
Module32First APIs, as the HTTP parameter ‘session_data’ (Figure
14).
Figure 14: Retrieving processes and
modules using Process32First and Module32First
A fragment of the HTTP request that is built with the information
gathered is shown in Figure 15.
Figure 15: HTTP request fragment
If any of the aforementioned methods is successful, the malware
tries to execute the decrypted payload. During our analysis, the C2
server did not respond with a next-level payload.
Indicators
File Name/Type |
Hash/URL |
SysAid-Documentation.rar |
062801f6fdbda4dd67b77834c62e82a4 |
SysAid-Documentation.rar |
49419d84076b13e96540fdd911f1c2f0 |
ekrnview.exe | 96986B18A8470F4020EA78DF0B3DB7D4
|
Thumbs.db.lnk | 31718d7b9b3261688688bdc4e026db99
|
URL1 | www.alahbabgroup[.]com/bakala/verify.php
|
URL2 | 103.225.168[.]159/admin/verify.php |
URL3 | www.khuyay[.]org/odin_backup/public/loggoff.php
|
URL4 | 47.91.56[.]21/verify.php |
Email | 8c93e024fc194f520e4e72e761c0942d |
Campaign 3: Potential Attack in Ukraine with Empire Backdoor
Infection Vector: The ACE file named zakon.rar is propagated
using a malicious URL mentioned in the indicators. 360
Threat Intelligence Center has also encountered this campaign.
Decoy Documents: The ACE file contains a file named
Ukraine.pdf, which contains a message on the law of Ukraine about
public-private partnerships that purports to be a message from Viktor
Yanukovych, former president of Ukraine (Figure 16 and Figure 17).
Figure 16: Ukraine.pdf decoy file
Figure 17: Contents of decoy file
Based on the decoy PDF name, the decoy PDF content and the
VirusTotal uploader, we believe this is an attack on an individual in Ukraine.
Empire Backdoor: When the file contents are extracted, WinRAR
drops a .bat file named mssconf.bat in the Startup folder. The batch
file contains commands that invoke base64-encoded PowerShell commands.
After decoding, the PowerShell commands invoked are found to be the
Empire backdoor, as shown in Figure 18. We did not observe any
additional payloads at the time of analysis.
Figure 18: Empire backdoor
Indicators
File Name/URL |
Hash/URL |
zakon.rar | 9b19753369b6ed1187159b95fc8a81cd
|
mssconf.bat | 79B53B4555C1FB39BA3C7B8CE9A4287E
|
C2 | 31.148.220[.]53 |
URL | http://tiny-share[.]com/direct/7dae2d144dae4447a152bef586520ef8
|
Campaign 4: Credential and Credit Card Dumps as Decoys
Decoy Documents: This campaign uses credential dumps and likely
stolen credit card dumps as decoy documents to distribute different
types of RATs and password stealers.
One file, ‘leaks copy.rar’, used text files that contained stolen
email IDs and passwords as decoys. These files are shown as they would
be displayed in WinRAR in Figure 19.
Figure 19: Text files containing stolen
email credentials as decoy
Another file, ‘cc.rar’, used a text file containing stolen credit
card details as a decoy. The file as it would be displayed in WinRAR
and sample contents of the decoy file are shown in Figure 20.
Figure 20: Text file containing stolen
credit card details as decoy
Payloads: This campaign used payloads from different malware
families. To keep the draft concise, we did not include the analysis
of all of them. The decompilation of one of the payloads with hash
1BA398B0A14328B9604EEB5EBF139B40 shows keylogging capabilities (Figure
21). We later identified this sample as QuasarRAT.
Figure 21: Keylogging capabilities
The decompilation of all the .NET-based payload shows that much of
the code is written in Chinese. The decompilation of malware with hash
BCC49643833A4D8545ED4145FB6FDFD2 containing Chinese text is shown in
Figure 22. We later identified this sample as Buzy.
Figure 22: Code written in Chinese
The other payloads also have similar keylogging, password stealing
and standard RAT capabilities. The VirusTotal submissions show the use
of different malware families in this campaign and a wide range of targeting.
Hashes of ACE Files
File Name |
Hash |
leaks copy.rar | e9815dfb90776ab449539a2be7c16de5
|
cc.rar | 9b81b3174c9b699f594d725cf89ffaa4 |
zabugor.rar | 914ac7ecf2557d5836f26a151c1b9b62
|
zabugorV.rar | eca09fe8dcbc9d1c097277f2b3ef1081 |
Combolist.rar | 1f5fa51ac9517d70f136e187d45f69de
|
Nulled2019.rar | f36404fb24a640b40e2d43c72c18e66b
|
IT.rar | 0f56b04a4e9a0df94c7f89c1bccf830c |
Hashes of Payloads
File name | Hash | Malware Family |
explorer.exe | 1BA398B0A14328B9604EEB5EBF139B40
| QuasarRAT |
explorer.exe | AAC00312A961E81C4AF4664C49B4A2B2
| Azorult |
IntelAudio.exe | 2961C52F04B7FDF7CCF6C01AC259D767
| Netwire |
Discord.exe | 97D74671D0489071BAA21F38F456EB74
| Razy |
Discord.exe | BCC49643833A4D8545ED4145FB6FDFD2
| Buzy |
old.exe | 119A0FD733BC1A013B0D4399112B8626 | Azorult |
FireEye Detection
FireEye detection names for the indicators in the attack:
FireEye Endpoint Security
|
IOC: WINRAR (EXPLOIT)
MG: Generic.mg
AV: - Exploit.ACE-PathTraversal.Gen
- Exploit.Agent.UZ
- Exploit.Agent.VA
- Gen:Heur.BZC.ONG.Boxter.91.1305E319
- Gen:Variant.Buzy.2604
- Gen:Variant.Razy.472302
- Generic.MSIL.PasswordStealerA.5CBD94BB
- Trojan.Agent.DPAS
- Trojan.GenericKD.31783690
- Trojan.GenericKD.31804183
|
FireEye Network Security |
- FE_Exploit_ACE_CVE201820250_2
- FE_Exploit_ACE_CVE201820250_1
- Backdoor.EMPIRE
- Downloader.EMPIRE
- Trojan.Win.Azorult
- Trojan.Netwire
|
FireEye Email Security |
- FE_Exploit_ACE_CVE201820250_2
- FE_Exploit_ACE_CVE201820250_1
- FE_Backdoor_QUASARRAT_A
- FE_Backdoor_EMPIRE
|
Conclusion
We have seen how various threat actors are abusing the recently
disclosed WinRAR vulnerability using customized decoys and payloads,
and by using different propagation techniques such as email and URL.
Because of the huge WinRAR customer-base, lack of auto-update feature
and the ease of exploitation of this vulnerability, we believe this
will be used by more threat actors in the upcoming days.
Traditional AV solutions will have a hard time providing proactive
zero-day detection for unknown malware families. FireEye MalwareGuard,
a component of FireEye Endpoint Security, detects and blocks all the
PE executables mentioned in this blog post using machine learning.
It’s also worth noting that this vulnerability allows the malicious
ACE file to write a payload to any path if WinRAR has sufficient
permissions, so although the exploits that we have seen so far chose
to write the payload to startup folder, a more involved threat actor
can come up with a different file path to achieve code execution so
that any behavior based rules looking for WinRAR writing to the
startup folder can be bypassed. Enterprises should consider blocking
vulnerable WinRAR versions and mandate updating WinRAR to the latest version.
FireEye Endpoint Security, FireEye Network Security and FireEye
Email Security detect and block these campaigns at several stages of
the attack chain.
Acknowledgement
Special thanks to Jacob Thompson, Jonathan Leathery and John Miller
for their valuable feedback on this blog post.
