WinRAR is a popular file compression software with 500 million users, but an “Absolute Path Traversal” bug in its old library, called UNACEV2.DLL, could allow to extract a compressed executable file to the Windows Startup, where the file would automatically run on reboot.
Researchers at 360 Threat Intelligence Center detected a malspam email campaign which is distributing a special crafted archive file (.RAR) that exploits the WinRAR vulnerability to install malware on Windows computers.
“Possibly the first malware delivered through the mail to exploit WinRAR vulnerability. The backdoor is generated by MSF [Microsoft Solutions Framework] and written to the global startup folder by WinRAR if UAC is turned off,” the researchers tweeted.
When opened using WinRAR—software running with administrator privileges or with UAC (User Account Control) disabled—the malware drops a malicious exe file (CMSTray.exe) to the Windows Startup folder.
The WinRAR team had lost the access to the source code for the vulnerable UNACEV2.DLL library in 2005, instead of fixing the issue, they released WINRar version 5.70 beta 1 that doesn’t support the DLL and ACE format.