Just like the operating system itself, application software needs to be updated regularly in order to prevent the possibility of fixed security vulnerability from being taken advantage of by 3rd parties. It is unfortunate that many users are starting to avoid auto-updates for their software altogether in order to prevent the hassles of restarting the computer and interrupt their workflow.
That is exactly what happened with Winrar users who deliberately disabled auto-updates. Winrar had a vulnerability under CVE-2018-20250, it was fixed with Winrar 5.70 beta 1. The “Absolute Path Traversal” vulnerability was discovered in the support file named UNACEV2.DLL that comes in all WinRar install. The unpatched version of UNACEV2.DLL can create a loophole where an executable file compressed using the ACE archive format can be extracted to the system’s Startup folder. Once the machine is rebooted, it will automatically run that compressed executable file, the attacker can elect what file to be compressed in ACE archive format for later execution by the system after a reboot.
The threat actor only needs to enable the user to open a malicious ACE archive file in WinRar through a phishing technique or a specially created URL shortened site hosting the file for download. The vulnerability has been fixed by WinRar developers last February 26, 2019, but apparently, those that fall for the exploit were using older versions, as they disable WinRar auto-updates in the settings menu.
Simple phishing techniques were used in one of the incidents, where an alleged pirated copy of Ariana Grande’s “Thank U, Next” album was compressed WinRar format which contains not only the actual audio files but also includes malicious exe files, which will be extracted to the Startup folder, executing the code upon Windows restart. The exe file attachment also comes with a unique code which deliberately bypasses the Windows User Account Control, hence the user is not alerted once the exe file runs under the Startup folder.
The only way for WinRar users to prevent infection through the use of the security bug is to keep on updating WinRar. By default, the auto-update is turned-on, it is the choice of the user to disable it depending on his use case. The hope that an antivirus will stop the possibility of stopping malware infection is low, especially for this type of exploit where out of 64 antimalware software tested, only 11 brands have an updated signature to identify the Ariana Grande Thank U trojan. 53 antivirus vendors failed to detect the infectious exe files from the archive, as their signatures are not yet updated in order to identify the existence of the trojan.
