The Dark Side of RAR Files: A New Method for Delivering Malicious Payloads

Introduction

Cyber Threats are constantly evolving and malicious attackers are constantly innovating their tactics to evade detection by antivirus and EDR/XDR software by creating new methods to deliver malicious payloads and exploit vulnerabilities. Two significant techniques leveraged by hackers are utilizing RAR files for payload delivery by email or social media platforms to trick individuals into executing malicious content.

RAR files are popular file compression formats widely used for packaging multiple files into a single archive. However, due to their unique characteristics, RAR files pose a challenge for antivirus programs, as their contents cannot be scanned without extraction. This inherent limitation makes RAR files an attractive method for attackers to deliver payloads, evading antivirus and EDR/XDR scans effectively.

A RAR file is a compressed archive format, commonly used for file compression and archival purposes. It stands for “Roshal Archive,” named after its creator, Eugene Roshal. RAR files use a proprietary compression algorithm that combines multiple files into a single archive, reducing their overall size. RAR files are often used for distributing large files or collections of files, as they can significantly reduce the file size and make it easier to transfer or store them.

In this article, we will explore how RAR files can be exploited to deliver payloads and why RAR files bypass the Antivirus and EDR/XDR mechanisms.

RAR files can be employed by cybercriminals in various scenarios for malicious purposes.

Concealing Malware: Attackers may use RAR files to hide malicious content. By compressing malware into a RAR archive, they can obfuscate its true nature and evade detection by antivirus software. Once the archive is opened, the malware may be extracted and executed on the victim’s system.

Exploiting Vulnerabilities: RAR files have been known to have vulnerabilities that can be exploited. Attackers may craft specially crafted RAR files to exploit these vulnerabilities in software that handles RAR archives, leading to remote code execution or other types of attacks.

Social Engineering: Attackers may use RAR files as part of social engineering tactics. They can send seemingly innocent RAR files to trick users into opening them, claiming they contain important documents, software updates, or other enticing content. Once opened, the RAR file may deliver malware or initiate other malicious actions.

Scenario #1:

As we saw in the beginning, one commonly used technique by attackers that involves RAR files is the use of payloads concealed within encrypted archives. In this scenario, we will explore the differences and implications of using an archive with no password versus one that is password-protected. We will also examine whether these payloads can go undetected by antivirus software.

Technical Part

The Unprotected Archive:

An attacker creates an archive containing a malicious payload but forgets to set a password for the archive file. This may be done intentionally to make it easier for the payload to propagate and infect targeted systems. When the archive is distributed, it can be easily extracted by the recipient without any authentication or additional steps. However, the lack of password protection also makes it more susceptible to detection by antivirus software.

The Password-Protected Archive:

In contrast, the attacker in this case chooses to set a password for the archive file containing the payload. By doing so, they aim to increase the difficulty of accessing the malicious content within. This added layer of security can make it more challenging for antivirus software to detect and analyze the payload. However, it also introduces additional complexities for the attacker and potential victims, as the password needs to be communicated securely or separately.

Antivirus, EDR/XDR Detection:

Antivirus, EDR, and XDR software utilize various techniques to detect and prevent malicious activities. One of the primary methods is signature-based scanning, where the software compares files and their contents against a database of known malware signatures. In the case of an unprotected archive, the absence of password protection allows antivirus, EDR, and XDR software to easily scan and analyze the file’s contents, increasing the chances of detecting the malicious payload.

However, password-protected archives present a different challenge. Since antivirus, EDR, and XDR software cannot access the contents of the archive without the correct password, it may struggle to detect the payload using traditional signature-based scanning. This gives the attacker an advantage, as they can exploit the delay between the distribution of the archive and the development and deployment of a signature for the new payload. During this window of opportunity, the payload may successfully infect systems without triggering any alerts.

Beyond Signature-Based Detection:

While signature-based detection is a widely used technique, modern IT security solutions employ a range of other methods to identify and block malicious payloads. These include heuristics, behavior-based analysis, machine learning, sandboxing, and more. Password protection alone cannot completely shield a payload from detection if it exhibits suspicious behavior or characteristics that trigger these advanced detection mechanisms.

Scenario #2:

One known critical vulnerability in the WinRAR file compression utility is putting millions of users at risk of (RCE) Remote Code Execution. The flaw lies within the handling of the ACE file format, commonly used for compressing files, making it a potential avenue for attackers to exploit.

Security researchers recently uncovered again the same vulnerability, which allows remote attackers to craft malicious ACE archive files that, when extracted using vulnerable versions of WinRAR, can execute arbitrary code on the victim’s system. This opens the door for various malicious activities, including unauthorized access, data theft, and malware deployment.

Technical Part

This scenario explains how the recent WinRAR ACE Vulnerability can become a significant security issue for organizations and for any user that uses RAR Files:

Metasploit, a widely used penetration testing framework, includes a module specifically designed to exploit the WinRAR ACE vulnerability. This module demonstrates the severity of the vulnerability and highlights the need for prompt patching to ensure the security of systems and networks.

Delivery of a payload through social engineering in the context of the WinRAR ACE vulnerability further underscores the potential risks and impacts of this security flaw.

Simultaneously, on the attacker’s side, preparations are made to establish a listener capable of handling the session once the WinRAR ACE vulnerability is successfully exploited. This crucial step allows the attacker to maintain control over the compromised system and carry out further malicious activities.

The specific payload has been successfully extracted to the victim’s system, undetected and without triggering any alerts.

Additionally, when the victim restarts their computer after extracting the file and executing the payload, the attacker’s session remains successfully established. This persistence allows the attacker to maintain control over the compromised system and continue their malicious activities.

Cyber Criminals can exploit this vulnerability by distributing specially crafted ACE archive files via email attachments, compromised websites, or other deceptive means. Unsuspecting users who open these files with vulnerable versions of WinRAR inadvertently execute the malicious code contained within the archive, granting the attacker control over their systems.

It’s important to note that the target needs to deceive a user into opening a manipulated archive. However, considering the vast user base of WinRAR, this task isn’t necessarily a substantial obstacle for cybercriminals, increasing the potential for successful exploitation.

RARLAB released WinRAR version 6.23 on August 2nd, 2023, effectively addressing CVE-2023-40477.

Numerous organizations and end-users continue to be plagued by the WinRAR ACE file format vulnerability. It is strongly recommended that WinRAR users promptly apply this security update.

However, since WinACE is abandonware, users are advised against opening ACE archives in WinRAR and possibly other products using this library.

Conclusion

In conclusion, RAR files have become an attractive method for malicious hackers to deliver payloads undetected.

Cyber Criminals can take advantage of vulnerabilities in file compression software to embed malicious payloads within RAR files. By enticing unsuspecting users to extract and execute these files, attackers can gain unauthorized access to systems, compromise data, and carry out various nefarious activities.

Be cautious when handling compressed files received from unfamiliar sources. You must prioritize proactive security measures to protect against payload delivery through RAR files. This includes regularly updating software and operating systems along with employing reliable security solutions, which can significantly reduce the risk of falling victim to such exploits.

Additionally, implementing file validation mechanisms, employing multi-layered defense strategies, and staying informed about the latest threats are essential steps to mitigate the risk of payload delivery.

We hope that this write up has taught you something new. If you enjoyed it, the best way that you can support us is to share it! If you’d like to hear more about us, you can find us on LinkedIn, Twitter, YouTube.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to Information Security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]