Posted on February 28, 2019 at 1:40 PM
A Chinese web security company revealed evidence about hackers’ attack via malware in WinRAR. WinRAR appears to have weaknesses that allow hackers to plant archives that infect user with malware. These findings could have enormous consequences knowing that WinRAR claims to have about half of billion users.
WinRAR is a well-known file archiving software that works with numerous extensions of compressed archives.
A Chinese company Qihoo 360 recently provided evidence that the hackers have been able to use a certain weakness in WinRAR software to infect a personal computer with malicious content. Qihoo 360 has published a few samples of corrupted archives. They noted that the hackers sent one of them in an email. Two days before, a web security company CheckPoint reported the same WinRAR flaws.
The corrupted archives contained interesting files
In their report, Qihoo 360 explained that one of the infected archive files was packed with pictures of an attractive woman. That was a way to get the users to extract the corrupted library and release malware into their computer. At first glance, the archive seemed normal. Hackers tuned the archive in to take advantage of the WinRAR vulnerability and extract files to a different destination.
When users extract the infected archive, the archive places a malicious file to the Startup Folder of the computer. That malicious file is actually a malware executable that activates on the next Startup. When the user turns on the computer next time, the startup activates the malware and reconstruct a hidden backdoor. A hacker could use that backdoor to install more malware and hijack the device with all the personal information and data.
Qihoo 360 also reported a special archive intended for the users from the middle eastern countries. The archive contains an advertisement for a job in Saudi Arabia. When the user extracts the file, it places a malware in the Startup folder that recreates a backdoor built on PowerShell.
Users need to install the patch by themselves
The developers made a patch for this exact WinRAR weakness. It has become available for beta release since last month. Users have to download and install the patch by themselves. The newest WinRAR release is available for download since yesterday.
It’s important to have antivirus software because it could prevent issues such as this one. Qihoo 360 uploaded one of the infected archives to VirusTotal to test how many antivirus software recognize content as malicious. It turned out that 24/56 antivirus programs detect this type of malicious content. Microsoft’s antivirus is among them.