Serious WinRAR Vulnerability Actively Exploited by Cybercrime Groups

A critical zero-day vulnerability in the popular file compression software WinRAR has been actively exploited by two Russian cybercriminal groups. This exploitation has used malicious archives attached to phishing emails, some personalized, to compromise systems.

Security firm ESET detected these attacks on July 18, finding files in unusual directories. By July 24, ESET linked this activity to an unknown WinRAR vulnerability, present in software with an installation base of 500 million. Once the issue was reported, WinRAR developers released a patch six days later.

The vulnerability exploited Windows' alternate data streams, a feature allowing unconventional representation of file paths, to plant harmful executables in critical directories normally protected to prevent code execution.

ESET identified the attacks as the work of a group known as RomCom, linked to past sophisticated exploitations. This is the third such zero-day vulnerability used by RomCom, according to ESET’s analysis.

Interestingly, another group named Paper Werewolf was also found exploiting this vulnerability. This group is suspected to have acquired the exploit through dark market crime forums. They targeted victims using archives in emails impersonating Russian institute employees to introduce malware.

ESET described three execution chains they observed. These involve using a DLL file inside the archive, running malicious executables, and eventually installing malware like Mythic Agent and SnipBot. Previous vulnerabilities in WinRAR have been similarly exploited, including a notable case in 2019.

Due to WinRAR's lack of automated update mechanisms, users are advised to manually install patches. The latest secure version is 7.13, which resolves the known vulnerabilities. However, due to recent zero-day reports, the concern remains significant.