{
	"id": "76376441-e193-4a5f-bbaa-e2d22698bae5",
	"created_at": "2026-04-06T00:16:33.248248Z",
	"updated_at": "2026-04-10T13:12:08.372189Z",
	"deleted_at": null,
	"sha1_hash": "9b8b964db21ef41f87c5427ddc5bfad69bde470a",
	"title": "Protecting Against WinRAR Vulnerabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38875,
	"plain_text": "Protecting Against WinRAR Vulnerabilities\r\nBy bferrite\r\nPublished: 2019-02-27 · Archived: 2026-04-05 19:34:34 UTC\r\nA 19 year old, yet major, vulnerability was recently found by Check Point Research in the popular web application,\r\nWinRAR, that could potentially put over 500 million users at risk. The exploit works by simply extracting an archive\r\nfrom an innocent looking ACE file which could lead to a remote code execution.\r\nFollowing the discovery, it was not long at all before the Check Point Research team, as well as a researcher from NCC\r\nGroup, spotted malware sample leveraging this vulnerability in the wild. In this case, the malware is an ace archive\r\ncontaining a JS file that is, in turn, written to startup. It will download and run an executable when initiated. The\r\ndownloaded executable is a .NET RAT called Orcus.\r\nFortunately, Check Point customers were already protected against this type of attack before the publication of this\r\nWinRAR vulnerability was made last week. By taking a closer look at how Check Point SandBlast Agent works we\r\ncan get a better understanding of both the attack and protection against it.\r\nFigure 1: Forensics Report from Sand Blast Agent (in detect only mode to showcase the whole attack) highlighting the\r\nscript drop and execution upon reboot. (Click here for the full report).\r\nThe attack begins by the user extracting an archive using WinRAR believing he is extracting a rbxm file which is a 3D\r\nmodel for Roblox, a popular online gaming platform. In addition to the 3D model, there is a hidden JS file with custom\r\npath to user’s startup folder as highlighted below.\r\nFigure 2: WinRAR archive containing JS file.\r\nMeanwhile, we can see from the Sand Blast Agent Forensics report that the JS payload file is actually extracted to the\r\nuser’s start-up folder where it will then be launched once the user reboots the machine or simply logs off and logs back\r\non.\r\nFigure 3: WinRAR process writing JS file to startup folder.\r\nFigure 4: Execution of JS file, download and launch of the Orcus RAT.\r\nSandBlast Agent is able to catch such activity through the SandBlast Agent Behavioral Guard protection name\r\nGen.Win.WrarExp.A.\r\nBy performing Advanced Behavioral Analysis along with threat extraction and sandboxing techniques remotely on\r\npublic or private cloud servers, SandBlast Agent is able to use a low-overhead, non-intrusive approach to protect users\r\nagainst modern malware techniques.\r\nThe exploitation of vulnerabilities in such commonly used applications like WinRAR highlights once again how easily\r\nusers can be exposed to malware when downloading files. By doing so, they can inadvertently put an enterprise’s\r\nentire IT network at risk of infection.\r\nhttps://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/\r\nPage 1 of 2\n\nWhen suspicious events do occur, it is essential that organizations have immediate access to the information required\r\nto fully understand and triage attacks to quickly identify source and scope, and to determine the best path of resolution.\r\nCheck Point SandBlast Agent is a progressive new solution that extends advanced threat prevention to endpoint\r\ndevices to defend against zero-day and targeted threats. With the capture and automatic analysis of complete forensics\r\ndata, SandBlast Agent provides actionable attack insight and context to enable rapid remediation in the event of a\r\nbreach.\r\nFor more information, please request a demo of Sand Blast Agent.\r\nCheck Point customers are protected IPS protections:\r\nRARLAB WinRAR ACE Format Input Validation Remote Code Execution (CVE-2018-20250)\r\nIOCs:\r\nSample: 8b1ec801a22884efde29c9d596d42bccbe9e6a981f65aecc69819bf427387d3f\r\nhttps://www.virustotal.com/gui/file/8b1ec801a22884efde29c9d596d42bccbe9e6a981f65aecc69819bf427387d3f/detection\r\nDownloaded RAT: 3a15f711370a667b41067f63ce181624451f542ca023825983446425d388fb70\r\nhttps://www.virustotal.com/gui/file/3a15f711370a667b41067f63ce181624451f542ca023825983446425d388fb70/detection\r\nC2 Server: galrov.warzonedns.com\r\nPort: 1604\r\nSource: https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/\r\nhttps://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/"
	],
	"report_names": [
		"protecting-against-winrar-vulnerabilities"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434593,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9b8b964db21ef41f87c5427ddc5bfad69bde470a.pdf",
		"text": "https://archive.orkl.eu/9b8b964db21ef41f87c5427ddc5bfad69bde470a.txt",
		"img": "https://archive.orkl.eu/9b8b964db21ef41f87c5427ddc5bfad69bde470a.jpg"
	}
}