News

Microsoft report: in March hackers actively used WinRAR vulnerabilities

Microsoft published details of Windows-managed attacks on computers in media companies that took place in March.

In the attacks, criminals utilized famous WinRAR vulnerability that gained popularity within criminal groups in the latest months. Hackers armed themselves with it immediately after publication by Check Point company, on February 20. That time researchers demonstrated how through this vulnerability code with the help of a file with special configuration (compressed files format) may be applied random code.

New improved WinRAR version was issued month before Check Point publication, but even in March Microsoft still watched attacks with CVE-2018-20250.

In the March campaign, hackers sent fishing letters allegedly from Afghanistan Home Office. Methods of social engineering that they applied were carefully planned to ensure full remote system discredit in the frameworks of WinRAR limited vulnerability.

Fishing letters contained Microsoft Word file with the link on other OneDrive document. It did not contain any malware macro to prevent attack detection. However, OneDrive document contained malware macro and after their activation victim’s system received new hacker’s software.


Downloaded document with malicious macro

Document also contained “Next page” button that contained fake notification about absence of necessary file DLD and necessity of computer restart. This trick was necessary as vulnerability enables malware programs to download files in a certain folder but not to start them at once. Considering this, ideal solution was putting program in the “Startup” folder. Files from this folder started at once after restarting computer.

After restart in the infected system started backdoor PowerShell that opens hackers full access to it. Use of this backdoor and other features pointed that cyber-band MuddyWater is responsible for the attacks.

“This PowerShell script is similar to a script that has been used in past MuddyWater campaigns”, – confirmed Microsoft experts.

Source: https://www.microsoft.com/security/blog/2019/04/10/analysis-of-a-targeted-attack-exploiting-the-winrar-cve-2018-20250-vulnerability

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Re-captha-version-4-21.buzz Pop-up Ads

About Re-captha-version-4-21.buzz Re-captha-version-4-21.buzz pop-ups can not launch out of the blue. If you have actually…

9 hours ago

Remove Eliteadblocker.net Pop-up Ads

About Eliteadblocker.net Eliteadblocker.net pop-ups can not expose out of the blue. If you have clicked…

14 hours ago

Remove News-xzexivu.info Pop-up Ads

About News-xzexivu.info News-xzexivu.info pop-ups can not introduce out of the blue. If you have actually…

15 hours ago

Remove Linkbtrads.top Pop-up Ads

About Linkbtrads.top Linkbtrads.top pop-ups can not expose out of nowhere. If you have actually clicked…

15 hours ago

Remove News-xzekevu.xyz Pop-up Ads

About News-xzekevu.xyz News-xzekevu.xyz pop-ups can not introduce out of the blue. If you have actually…

15 hours ago

Remove News-xzurufo.xyz Pop-up Ads

About News-xzurufo.xyz News-xzurufo.xyz pop-ups can not introduce out of the blue. If you have clicked…

15 hours ago