High-severity WinRAR 0-day exploited for weeks by 2 groups
1 min read
Summary
Two Russian cybercriminal groups, RomCom and Paper Werewolf, are using a high-severity zero-day vulnerability in WinRAR to backdoor computers that open malicious archives attached to phishing messages.
The vulnerability abuses alternate data streams, a Windows feature that allows different ways of representing the same file path.
It allows the exploit to trigger a previously unknown path traversal flaw that results in WinRAR planting malicious executables at attacker-chosen files paths, with the highlight being the ability to do so in %TEMP% and %LOCALAPPDATA% folders, which are normally off-limits to execute code.
ESET researched the issue and reported finding that this is at least the third time that RomCom has used a zero-day vulnerability in the wild, highlighting its focus on procuring and using exploits for targeted attacks.
RomCom is believed to be well-resourced and has been active for some years.
