Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Today we stumbled upon an interesting file. The file in question, "wrar380CorporateEdition.exe" (md5: f054f5a1bcb79098916c80b28e4f2bec), appears to be the install kit for the WinRar archiver. Upon closer inspection, it is actually a self-extract cab installer containing 2 files:
When the installer is run, both files execute.
While the file "wrar380.Regged.exe" is actually WinRAR, the other file is actually... malware. A closer look at "Setup_ver1.1808.0.exe" reveals that it is a version of the notorious Zlob trojan. So basically, the original download is a forged version of WinRAR that installs malware. Nothing really new or groundbreaking though. But anyway, considering the file was new (version 3.8 of WinRAR is the latest and was only released at the end of September), we decided to dig a little further. We started looking for possible online sources for the file, and keeping in mind that the version of the software is new, we thought we might get lucky. After some time, we tracked down one of the sources. And what we found was interesting. We tracked this piece of malware as being served through one of the largest free torrent trackers in existence. Torrents are widely used nowadays and malware authors have infiltrated this free community also. We know this isn’t a singular case- other downloads are also disguised malware files. Different software, same idea. Other downloads contained Vundo trojan instead of Zlob. So, they are repackaging software and adding a silent install inside that is actually malware. For some users, it has become a habit to download software from free trackers. And sometimes they get away with warez or cracked software. In other cases, like this one, the cost of free software might be too high, as these trojans may steal your data.
Patrik Vicol && Andrei Saygo