A nearly 20-year old WinRAR vulnerability is being used to launch hack attacks on satellite and communications industry!

The satellite and communications industry are under hack attacks and from the looks of it, it reflects the techniques used in MuddyWater’s campaigns. For those of you unaware of MuddyWater, it is a cyberespionage group.

Interestingly, CVE-2018-20250 (a nearly 20-year-old vulnerability in WinRAR which has now been taken care of) was exploited. The end goal for such attacks is to gain complete control of the target system.

The Office 365 Advanced Threat Protection (ATP) started assessing these attacks after they discovered the malicious file which was responsible for exploiting the vulnerability.

One of ATP’s Research Team member, Rex Plantado believes that the hacking process initiated with a phishing e-mail, claimed to have been sent by the Ministry of Foreign Affairs in Afghanistan.

The whole process was brilliantly planned and layered, as the initial message didn’t contain any malicious code in order to avoid suspicion, and just had a Word Document attached. The receiver of e-mail was just asked for satellite image resources.

Analysis of a targeted attack exploiting the WinRAR CVE-2018-20250 vulnerability

In a surprising turn of events, the document didn’t have anything related to the above mentioned request. It just asked the recipient to download another document through a given link. This second document has a complicated macro, which when enabled, initiates a chain of malicious actions, ending with the download of the payload.
In addition to that, a “Next” button located in the document causes the recipient (or victim) to view a fake message which asks for a system reboot due to the absence of a particular DLL.

Meanwhile, the malicious macro runs a number of actions in the background in order to achieve a second-stage Powershell script that retrieves system information, in addition to generating unique system ID and sending these to another location.

Although it is supposed to act like a backdoor, it can also download various files and execute commands through Command Prompt. It can also run a base64-encoded command (after decoding it) with the help of PowerShell.

Now that it’s possible to download and run files, the hacker can easily transfer the malicious file and take advantage of the vulnerability, which in turn, can end up in the system getting compromised.

MuddyWater (or SeedWorm) shouldn’t be taken lightly, although they were first spotted around 2 years ago. Its main targets were organizations in Afghanistan and rest of the Middle East (to some extent).

Read next: Top Security Vulnerabilities Hackers Use
Previous Post Next Post