Simple phishing techniques were used in one of the incidents, where an alleged pirated copy of Ariana Grande’s “Thank U, Next” album was compressed WinRar format which contains not only the actual audio files but also includes malicious exe files, which will be extracted to the Startup folder, executing the code upon Windows restart. The vulnerability has been fixed by WinRar developers last February 26, 2019, but apparently, those that fall for the exploit were using older versions, as they disable WinRar auto-updates in the settings menu.
The threat actor only needs to enable the user to open a malicious ACE archive file in WinRar through a phishing technique or a specially created URL shortened site hosting the file for download. Once the machine is rebooted, it will automatically run that compressed executable file, the attacker can elect what file to be compressed in ACE archive format for later execution by the system after a reboot. The unpatched version of UNACEV2.DLL can create a loophole where an executable file compressed using the ACE archive format can be extracted to the system’s Startup folder. The “Absolute Path Traversal” vulnerability was discovered in the support file named UNACEV2.DLL that comes in all WinRar install. Winrar had a vulnerability under CVE-2018-20250, it was fixed with Winrar 5.70 beta 1. That is exactly what happened with Winrar users who deliberately disabled auto-updates. It is unfortunate that many users are starting to avoid auto-updates for their software altogether in order to prevent the hassles of restarting the computer and interrupt their workflow. Just like the operating system itself, application software needs to be updated regularly in order to prevent the possibility of fixed security vulnerability from being taken advantage of by 3rd parties.