Contact Contact Us


Several threat groups are actively exploiting a recently patched vulnerability in WinRAR, a 23-year-old file archival utility used by over 500 million users worldwide. The vulnerability, tracked as CVE-2018-20250, is a path traversal bug that lets hackers specify the location when extracting 'ACE' formatted files. An attacker can therefore achieve persistence and code execution by creating malicious archives that extract files to sensitive locations such as Windows "Startup" Start Menu folder. At least four separate phishing campaigns were found using malicious ACE archive to drop backdoors, loader, and malware such as the QuasarRAT. The targeted organisations included an education accreditation council, an Israeli defence contractor and the Ukrainian government. The vulnerability was also exploited by Iranian cyberespionage group, APT33 (aka Elfin), to target organisations in Saudi Arabia and the US. Attacks abusing WinRAR vulnerability are expected to continue given the ease of exploitation and large WinRAR customer-base. As WinRAR does not have auto-update features, users running outdated version are strongly encouraged to download and use the latest WinRAR version 5.70.

[1] WinRAR Zero-day Abused in Multiple Campaigns
[2] Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
[3] Lazarus Group, APT Counterattack for Israeli Army Companies
[4] Extracting a 19-Year-Old Code Execution from WinRAR

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883