Some hackers began exploiting a vulnerability that allows code execution and was recently revealed in WinRAR, a Windows file compression program, with 500 millions of users worldwide. Exploiting this vulnerability allows malicious programs to be installed, which at this time have not been detected by the vast majority of antivirus products.
The error, which was revealed last month by Check Point Research, immediately caught everyone's attention because it allows attackers to install hidden, malicious applications when a target opens a compressed ZIP file using any version of WinRAR released in the last 19 years. Path traversal attacks made it possible to extract archive files to the Windows startup folder (or any other file selected by the file creator) without warning. From there, malicious payloads can be executed automatically the next time the computer restarts.
On Thursday, a McAfee researcher Reported that the security company detected "100 different exploits" within the first week after the vulnerability was revealed. So far, most of the targets are in the US.
"A recent example concerns an illegal copy of Ariana Grande's album, Thank U, Next, with the file name" Ariana_Grande-thank_u, _next (2019) _  .rar ", writes McAfee researcher Craig Schmugar in the post . “When using a vulnerable version of WinRAR to extract the contents of this file, a malicious payload is created in the Startup folder. User Access Control (UAC) is bypassed, so no notification is displayed to the user. The next time the system is restarted, the malicious program will be executed. "
The screenshots included in the post show that the malicious file exported harmless MP3 files to the target download folder. However, the RAR file also secretly exported a file called "hi.exe" to the startup folder. Once the computer was restarted, a trojan was installed which, according to Google's VirusTotal service, was detected by just nine AV providers. Schmugar did not say whether 100 Holdings, discovered by McAfee, installed the same malware.
Web searches indicate that an Ariana Grande RAR file with the same title, identified by McAfee, is currently being downloaded to BitTorrent download services. Also advertised on Twitter. People should be suspicious of any file that is available for download on the internet. WinRAR users should ensure that they use the 5.70 version. Any other version is vulnerable to these attacks. Another solution is the transition to 7zip.