Quarterly Threat Bulletin: WinRAR Zero-Day Vuln and More

Originally published by Uptycs.

Written by Dan Verton.

The Uptycs Threat Research Team released its latest Quarterly Threat Bulletin today, covering the tactics, techniques and procedures (TTPs) of the most prevalent malware and threat actor groups.

The Q3 Threat Bulletin highlighted the active exploitation of the WinRAR Zero-Day vulnerability by cyber-criminals to deploy Remcos RAT and other malicious payloads. This vulnerability has left millions of computers vulnerable to exploitation by attackers.

WinRAR Zero-Day

The WinRAR Zero-Day vulnerability is a security flaw that allows attackers to bypass security measures and execute malicious code. It is a bug present in the popular file compression tool, WinRAR, which affects the way the tool handles ACE archive files. Cyber-criminals can use this vulnerability to execute remote code execution on their target systems and deploy malware like Remcos RAT.

So, how are attackers using this vulnerability? Attackers are luring victims to open specially crafted ACE files, which contain malware payloads that get executed when the file gets unzipped. Once the malware code executes, it allows the attacker to take control of the victim's system, steal sensitive data, or install further malware.

"What makes it particularly insidious is its ability to hide malicious executables within seemingly benign files, such as PDFs or JPGs, in an archive. They package both benign and malicious files within a single ZIP archive," the bulletin states.

The WinRAR vulnerability is being actively exploited by various cyber-crime actors, and it has become a popular attack vector for distributing malware in Q3 2023. It's essential to keep your system updated with the latest WinRAR version, which includes a patch to fix this vulnerability. Additionally, you must refrain from opening suspicious emails or downloading files from unknown sources.

Windows, Linux, and macOS Threats

Apart from the WinRAR vulnerability, the Q3 Threat Bulletin also highlights the malware targeting Windows, Linux, and macOS systems. For example, Windows users should watch out for RedLine, AgentTesla, and Amadey, while Linux users should take notice of Mirai, Gafgyt, and CoinMiner.

Another concern is the growing use of LOLBins (Living Off the Land Binaries), which are legitimate command-line tools that attackers misuse to execute malicious code. The most commonly abused LOLBins on Windows include rundll32.exe, powershell.exe, and wscript.exe, while on Linux, attackers are abusing crontab, chattr, and wget. For macOS, abusers are misusing Openssl, curl, and killall.

Lastly, the Q3 Threat Bulletin lists key vulnerabilities and exploits of Windows, Linux, and macOS systems that attackers are exploiting to deploy malware. Keeping your systems updated with the latest security patches and following best practices like refraining from opening suspicious emails and avoiding downloading files from unknown sources can help keep your systems protected.

Take Action Now

The WinRAR Zero-Day vulnerability is a serious threat to your enterprise, and it's essential to take proactive measures to prevent exploitation. Keeping your systems updated with the latest security patches, avoiding suspicious emails and files, and adopting best practices for cybersecurity can all help prevent your systems from being exploited by attackers.