Discovered by researchers at the 360 Threat Intelligence Center, the flaw allows attackers to make use of a path-traversal vulnerability in WinRAR and run malicious code on a victims PC just by making them open a file.
Generated using MSF, the backdoor is loaded into the global startup folder of a system using WinRAR provided UAC is turned off. Thus the malicious code runs each time the system boots up and provides remote access to attackers.
The flaw was patched by RAR Lab in the latest version of the popular compression tool that was released last week. But with a huge user base of over 500 million users, it is difficult to ensure that everyone has updated their software.
The vulnerability is being exploited by sending malspam (malware riddled emails) that contain CMSTray.exe, which is encapsulated within the malicious archiver instead of being downloaded remotely.
Once a victim opens the archive distributed by attackers, the malicious code is dropped into the startup folder (C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup\CMSTray.exe).
In order to protect yourself from becoming a victim to this vulnerability make sure to keep User Account Control (UAC) active if you are using an older version of Win RAR.
Moreover, researchers also found a path traversal vulnerability with unacev2.dll, which is a third party dynamic link library present within Win RAR that is used to parse ACE archives.
Attackers could thus make use of spear-phishing tactics to send disguised ACE files that could be used to load Malware onto a victims system.
Meanwhile, researchers have urged users of the popular file archiving tool to update their software to the latest 5.70 beta 1 version to protect themselves from bad actors.