APT MuddyWater Exploits ACE WinRAR Flaw
Advanced Persistent Threat (APT) MuddyWater, also known as Seedworm, has been identified as the cyberespionage group behind a series of recent Windows attacks. The Microsoft Office 365 Threat Research Team discovered a cyberattack that used an exploit for CVE-2018-20250 that affects WinRAR versions prior to and including 5.61. The WinRAR vulnerability was previously discovered in February 2019 by Checkpoint researchers. Shortly after the vulnerability was discovered, Microsoft identified it being used to target organizations in the satellite and communications industry. Multiple tactics were used in these attacks in an attempt to obfuscate the malicious payload including a fileless PowerShell backdoor that can ultimately give the APT full control of the compromised target. It is estimated over 500 million people use WinRAR worldwide. The technical details of the attack chain are highlighted in the Microsoft Research blog. The NJCCIC advises users to run all Windows updates and refrain from clicking on links or attachments in unknown or unsolicited emails. We also suggest users review a summary of recommendations from Symantec regarding the WinRAR vulnerability.