Attackers are exploiting 19 year old WinRAR vulnerability

Cyber attackers are exploiting a 19 year old high severity code execution vulnerability in WinRAR, a popular compression tool used to create and view archives in RAR or ZIP file formats and can unpack numerous archive file formats.

Nearly a month ago Check Point Research first discovered the unacev2.dll vulnerability (CVE-2018-20250) can result in code execution and allow a remote attacker to take complete control over the affected system.

The Check Point researchers warned that the exploit works by simply extracting an archive, which puts over 500 million users at risk.

“We found that WinRAR uses a dll named unacev2.dll for parsing ACE archives. A quick look at this dll revealed that it’s an old dated dll compiled in 2006 without a protection mechanism,” Check Point noted in February.

As of Thursday, McAfee security researchers now have identified over 100 unique exploits of the WinRAR vulnerability and counting. Most of the initial targets are in the United States, McAfee said in the blog post.

Attackers will use vulnerable versions of WinRAR to extract the contents of an archive and then create a malicious payload in the Startup folder without the user knowing about it. McAfee said one exploit example used a bootlegged copy of Ariana Grande’s hit album “Thank U, Next” with a file name of “Ariana_Grande-thank_u,next(2019)[320].rar”

It is important to note the vulnerability has been patched with version 5.70 as of February 26, but cyber criminals are already releasing exploits to find and compromise vulnerable systems that haven’t yet been patched.

Users should make sure their anti-virus signatures are up-to-date as well.