Just a few days ago, a serious security hole found in WinRar that had existed in the program for 15 years and endangering our equipment without our knowing it. The fault lies with a bug in a library to decompress the ACE file format. Well, just two days after the vulnerability was disclosed publicly, the first sample of a file that exploits the bug to install malware was discovered.
Combination of Social Engineering and Encryption
One way in which attackers use this exploit is that they send compressed files via email, in which they insert multiple images of women as bait to make the user unzip the file. And in addition, they encrypt the malicious ACE file. Since there is no preview of the images without extracting the content, if the user looks at a photo out of curiosity, the possibilities of extracting the complete file and activating the vulnerability increase.
Once this happens, an executable
OfficeUpdateService.exe be sent to the directory,
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup courtesy of the vulnerability in the library to decompress ACE files. And if the user reboots the computer or the session, it will be executed at the next startup.
That executable is a remotely controlled backdoor that can do things like allow the attacker to manage files, restart or shut down the computer, even install Trojans, capture and record the screen, etc. The researchers explain that these types of attacks are in the early stages of an outbreak, since many other types of malware, including worms, can also be inserted into the files to cause even more damage.
How Do I Protect Myself?
The only solution, if you are WinRar users, is to install the latest version of the program that has completely removed the support for ACE files to avoid being compromised: WinRAR 5.70 beta 1. Don’t worry, you can able to use a free alternative such as 7zip that does not even support ACE files.