Fake WinRAR downloads hide malware behind a real installer

A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. When these links start to show up, that’s usually a good indicator of a new campaign. WinRAR is a popular utility that’s often downloaded from “unofficial” sites, which gives campaigns offering fake downloads a bigger chance of being effective.

The analysis of the downloaded file turned out to be something of a Matryoshka doll, with layer after layer. Often, these payloads contain self-extracting or multi-stage components that can download further malware, establish persistence, exfiltrate data, or open backdoors, all depending on an initial system analysis. One of the first actions this malware took was to access sensitive Windows data in the form of Windows Profiles information. This indicates that the file selects the “best-fit” malware for the affected system before further compromising or infecting it.

The original file was called winrar-x64-713scp.zip and the initial analysis with Detect It Easy (DIE) hinted at several layers. Unzipping the file produced winrar-x64-713scp.exe which turned out to be a UPX packed file that required the –force option to unpack it due to deliberate PE anomalies. Looking at the unpacked file, DIE showed yet another layer: (Heur)Packer: Compressed or packed data[SFX]. Looking at the strings inside the file, two RunProgram instances were noticed: RunProgram=”nowait:"1winrar-x64-713scp1.exe" “ and RunProgram=”nowait:"youhua163安装.exe" . The file 1winrar-x64-713scp1.exe turned out to be the actual WinRAR installer, likely included to ease suspicion for anyone running the malware. The Chinese characters “安装” translate as “install.” After removing another layer, the other file turned out to be a password-protected zip file named setup.hta. Running the file on a virtual machine showed that setup.hta is unpacked at runtime directly into memory. The memory dump revealed another interesting string: nimasila360.exe.

This is a known file often created by fake installers and associated with the Winzipper malware. Winzipper is a known Chinese-language malicious program that pretends to be a harmless file archive so it can sneak onto a victim’s computer, often through links or attachments. Once opened and installed, it quietly deploys a hidden backdoor that lets attackers remotely control the machine, steal data, and install additional malware, all while the victim believes they’ve simply installed legitimate software. Indicators of Compromise (IOCs) include domains: winrar-tw[.]com, winrar-x64[.]com, and winrar-zip[.]com. Filenames identified are winrar-x64-713scp.zip, youhua163安装.exe, and setup.hta (dropped in C:\Users{username}\AppData\Local\Temp).

To stay safe, only download software from official and trusted sources. Avoid clicking links that promise to deliver that software on social media, in emails, or on other unfamiliar websites. Additionally, use a real-time, up-to-date anti-malware solution to block threats before they can run.

To read the complete article see: Malwarebytes.