{"id":94446,"date":"2019-03-14T12:00:50","date_gmt":"2019-03-14T19:00:50","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=94446"},"modified":"2025-05-27T22:37:44","modified_gmt":"2025-05-28T05:37:44","slug":"attackers-exploiting-winrar-unacev2-dll-vulnerability-cve-2018-20250","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/attackers-exploiting-winrar-unacev2-dll-vulnerability-cve-2018-20250\/","title":{"rendered":"Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)"},"content":{"rendered":"

Earlier this month Check Point Research reported<\/a> discovery of a 19 year old code execution vulnerability in the wildly popular WinRAR compression tool. Rarlab reports that that are over 500 million users of this program. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable systems before they can be patched.<\/p>\n

One recent example piggybacks on a bootlegged copy of Ariana Grande\u2019s hit album \u201cThank U, Next\u201d with a file name of \u201cAriana_Grande-thank_u,_next(2019)_[320].rar\u201d<\/p>\n

When a vulnerable version of WinRAR is used to extract the contents of this archive, a malicious payload is created in the Startup folder behind the scenes. User Account Control (UAC) does not apply, so no alert is displayed to the user. The next time the system restarts, the malware is run.<\/p>\n

\"\"<\/p>\n

Figure 1 \u2013 Malformed Archive detected by McAfee as CVE2018-20250!4A63011F5B88<\/em>
\nSHA256: e6e5530ed748283d4f6ef3485bfbf84ae573289ad28db0815f711dc45f448bec<\/em><\/p>\n

\"\"<\/p>\n

Figure 2 – Extracted non-malicious MP3 files<\/em><\/p>\n

\"\"<\/p>\n

Figure 3 – Extracted Malware payload detected by McAfee as Generic Trojan.i<\/em>
\nSHA256: A1C06018B4E331F95A0E33B47F0FAA5CB6A084D15FEC30772923269669F4BC91<\/em><\/p>\n

In the first week since the vulnerability was disclosed, McAfee has identified over 100 unique exploits and counting, with most of the initial targets residing in the United States at the time of writing.<\/p>\n

The Importance of Updates<\/h2>\n

McAfee advises users to keep their anti-malware signatures up to date at all times. McAfee products detect known and unknown malformed ACE files exploiting the vulnerability as CVE2018-20250![Partial hash] starting with the following content<\/p>\n