![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/1.jpg\")
<\/p>\n
- \n
- We can also see that the threat actor can craft the archive so that folder and file names are the same.<\/li>\n
- This is interesting as Windows doesn’t allow files and folders to have the same name in the same path.<\/li>\n
- This shows that it was weaponized after creating a regular zip by changing the bytes to make the file and folder name the same.<\/li>\n
- Also, note there is a trailing space at the end of the file and folder name (in yellow).<\/li>\n
- When we look inside the folder, we see many files, but the most important file is highlighted, which is a bat file containing a malicious script.<\/li>\n
- The bat file also has the same name as the benign file outside the folder.<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/2.jpg\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/3.jpg\")
<\/p>\n- \n
- When we check the script, we see it launches cmd in the minimized state, then goes to the temp folder where WinRAR will extract the files, then tries to find the weakicons.com file, which is present inside the folder and executes it using wmic and then exits.<\/li>\n
- Checking weakicons.com we find that it is a CAB SFX file.
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/4.jpg\")
<\/li>\n - We extract it to check what is inside.
\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/5.jpg\")
<\/li>\n - We found a PE file, some ActiveX control objects, and two text files.<\/li>\n
- AMD.exe is a visual basic compiled file whose main job is to extract the dll hidden in a blob of data inside pc.txt and execute the ActiveX controls.<\/li>\n
- Inside add.txt, we find the registry keys it will try to manipulate
\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/6.jpg\")
<\/li>\n - The first control is responsible for registering a COM object in Windows. During registration, registry keys are imported from the “add.txt” file. As a result, a specific COM object with a unique CLSID is registered in the infected system. The default value of the InprocServer32 key is populated with the path to a malicious DLL named “Core.ocx”.
\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/7.jpg\")
<\/li>\n<\/ul>\n- \n
- Wmic process executes weakicons.com<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/8.jpg\")
<\/p>\n- \n
- com executes AMD.exe<\/li>\n<\/ul>\n
- \n
- AMD.exe extracts the encrypted dll file inside pc.txt and writes it in the romaing\\nvidia folder.<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture9-1.jpg\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture10.jpg\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture11-1024x76.jpg\")
<\/p>\n- \n
- Here, we observe AMD.exe calls reg.exe on registry keys inside add.txt
\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture12.jpg\")
<\/li>\n - Timeout is also called to slow down the activities of the infection chain.
\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture13.jpg\")
<\/li>\n - AMD.exe Calls rundll32 on the clsid that is registered in the registry<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture14.jpg\")
<\/p>\n- \n
- We can see successful tcp connection to threat actors C2.( ip 37[.]120[.]158[.]229)<\/li>\n<\/ul>\n
Global Heatmap where this vulnerability is being seen in the wild(<\/u><\/strong>based on McAfee telemetry data)<\/u><\/p>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/15.jpg\")
<\/u><\/strong><\/p>\nInfection chain<\/u><\/strong><\/p>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/infection-chain2.png\")
<\/p>\nHow does the vulnerability work?<\/strong><\/p>\n
- \n
- Here, we will analyze the issue causing WinRAR to execute the script instead of opening the image.<\/li>\n
- We will compare how WinRAR behaves when we execute an image file from a weaponized zip vs. a normal zip. So we fire up ProcMon First.<\/li>\n<\/ul>\n
Normal.zip<\/p>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/16-1.jpg\")
<\/p>\nWeaponized.zip<\/p>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture16-1.jpg\")
<\/p>\n- \n
- The above image shows that the first logical bug is how WinRAR is extracting files in the temp folder before executing them. In the case of a regular zip, only the clean image file is extracted to the temp folder, whereas in the case of a weaponized zip, even the files present inside the folder are extracted to the temp folder along with the clean image file. This is due to the same file names we have given, which makes WinRAR extract those in temp.<\/li>\n
- Verifying the same in the temp folder<\/li>\n<\/ul>\n
Normal Zip<\/p>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture17.jpg\")
<\/p>\nWeaponized Zip<\/p>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture18.jpg\")
<\/p>\n
- We can see successful tcp connection to threat actors C2.( ip 37[.]120[.]158[.]229)<\/li>\n<\/ul>\n
- Here, we observe AMD.exe calls reg.exe on registry keys inside add.txt
- AMD.exe extracts the encrypted dll file inside pc.txt and writes it in the romaing\\nvidia folder.<\/li>\n<\/ul>\n
- com executes AMD.exe<\/li>\n<\/ul>\n
- Wmic process executes weakicons.com<\/li>\n<\/ul>\n
![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture19-1.jpg\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture20-1.jpg\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture21.jpg\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture22.jpg\")
<\/li>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture23.jpg\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture24.jpg\")
<\/p>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture25.jpg\")
<\/li>\n![\"\"](\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/09\/Picture26.jpg\")
<\/p>\n