1. Overview
Since WinRAR Since the unacev2.dll arbitrary code execution vulnerability (CVE-2018-20250) was exposed because the vulnerability is very simple and easy to use it has been favored by viruses and black products and various malicious exploits have been coming. But WinRAR unacev2.dll arbitrary code execution vulnerability exploitation has an obvious shortcoming that is the malicious code can be executed after the victim restarts the system.
Recently Tencent Security Yujian Threat Intelligence Center has monitored that attackers have performed technical upgrades to WinRAR exploits which has reduced the number of victims to a certain extent. Actively restart the system's dependencies while ensuring that the malicious Trojan can be started in the first time.
Common use methods:
The use of the attack method after the upgrade:
(1) Attack use method 1
(2) Attack and use method 2
< /p>
Second analysis
Attack utilization method 1:
< p>WinRAR exploit combined with malicious lnk to avoid anti-virus software detection and killing while increasing the probability of malicious Trojan horse execution. The sample information and specific analysis are as follows.MD5
File name
3e86873fab89792c3f2302b4deb2377f_
mirotvorec.rar
Open mirotvorec.rar the contents of the compressed package are as follows< /p>
Unzip mirotvorec.rar and found that the compressed package also released two lnk files and one exe file
?File 1: %userprofile%\\win.exe (user profile directory)
?File 2: c:\\AppData\\Roaming\\Microsoft\\Windows\\StartMenu\\Programs\\Startup\\Goggle Chrome.lnk (Start menu startup directory)
? File 3: c:\\desktop\\GoggleChrome.lnk (desktop shortcut)
File 1 is the final malicious Trojan horse to be executed which was released under %userprofile% (user directory); the contents of file 2 and file 3 are exactly the same and they both pretend to be the shortcut launch method of Chrome browser (the attacker spells Wrong Google is written as Goggle) but the startup file that the lnk actually points to is %userprofile%\\win.exe which is file 1.
It should be noted that if you execute win.exe directly in the user directory you also need to enter the correct password to continue execution. The password is the execution parameter of the above shortcut win.exe. If you double-click goggle chrome.lnk the password parameter will be executed automatically and the following dialog box for submitting the password will not appear.
This attack has the following differences from previous attacks using WinRAR vulnerabilities:
1) In order to avoid anti-software checking and killing the malicious Trojan that was finally executed was not released to the system self-starting directory but to the user At the same time in order to ensure that the malicious Trojan can be executed smoothly after restarting the malicious lnk masquerading as the shortcut launch method of the Chrome browser is released to the system self-starting directory. The lnk is actually a shortcut launch method of the malicious Trojan;
2) In order to increase the probability of malicious Trojans being executed and at the same time to make up for the shortcomings of WinRAR exploits that need to be restarted the attacker also released the malicious lnk to the desktop to induce the victim to manually click to run;
3 ) In order to avoid anti-virus software checking and killing the malicious Trojan horse needs to enter the correct password to execute (this prevents the automatic analysis tool of the anti-virus manufacturer from discovering anomalies);
4) The user restarts the system or double-clicks to run the malicious lnk Can execute malicious Trojans.
Attack method 2:
< p align='left' style='text-align:left;'>The malicious bat file downloads and decompresses the ACE file and at the same time forces the system to restart to ensure the execution of the malicious Trojan. The attack samples and specific analysis are as follows.MD5
File name
1e541b14b531bcac70e77a012b0f0f7f
__Denuncia_Activa_CL.PDF.bat
notepad++ opens the bat file the text content is garbled and it is found that the lower right foot indicates that the file uses UCS-2 Little-endian encoding
Reuse the hexadecimal editor to open the bat file you can see the real file content
Execute bat file First generate a random number to rename the malicious rar file to be downloaded
Set the download directory file name etc. and enable powershell commands from the hard-coded url Download malicious rar file
Use WinRAR to decompress release the malicious Trojan to the system startup item directory execute the 'shutdown -r' command to force restart the system to ensure that the malicious Trojan can be started in the first time.
Three safety recommendations
1 unacev2. dll vulnerabilities are not limited to WinRAR. Many compression and decompression tools including WinRAR are risky. It is recommended that users upgrade all these software to the latest version. It is recommended to use the software management of Tencent Computer Manager to complete the software upgrade.
2. Directly delete the UNACEV2.DLL file in the WinRAR installation directory but it will cause the compressed file in the ACE format to be unusable (however the impact is small and the commercial company with the ACE format patent has closed more than ten Years you can completely abandon the ACE compression format).
3. Don't be credulous open files of unknown origin or purpose.
IV. IOCs
IP
195.62.52.164
DOMAIN
lisingrout.ddns.net
.poderjudicial.cl
.triosalud.cl
MD5< /i>
3e86873fab89792c3f2302b4deb2377f
64c3556574daa5bc76a5cede8f8bfcd7
f2c78f8b3582eae0af8912b0293ca8a5
fbc78f8b3582eae0af8912b0293ca8baffb778deb778d80dbcd0f80d 410b77d8f1cdc76c867b4a6a27ae55e5
URL
hxxps://.triosalud.cl/wp/wp -content/uploads/2019/02/denuncias.rar
hxxps://.triosalud.cl/wp/wp-content/uploads/2019/03/denuncias.rar
hxxps://.triosalud.cl/wp/wp-content/uploads/2019/03/up.php
hxxp://.poderjudicial.cl
?Rust/WinRT for Win 10 public preview released