Warning: Fake WinRar Websites Distributing Malware
SonicWall has recently issued a cybersecurity alert about a deceptive website that mimics the official WinRar site. This fake site, win-rar.co, not only closely resembles the legitimate WinRar site but also hosts a plethora of malicious software.
The fake website appears to distribute WinRar, a well-known data compression, encryption, and archiving tool for Windows. By using a tactic known as typosquatting, the attackers capitalize on users who may accidentally mistype the URL of the official website (win-rar.com), omitting the “-m” in “.com.” This small error directs users to the malicious site win-rar.co, where the threat begins.
Once on the fake site, users are tricked into downloading a malicious shell script that initiates a multi-stage malware attack. This script triggers the download of additional malicious components hosted on GitHub, including ransomware, a cryptominer, and an infostealer.
Shell script zx.ps1 hosted on the fake WinRar website | Image: SonicWall
The GitHub repository, named “encrypthub,” reveals a treasure trove of tools at the attackers’ disposal. These tools enable them to:
- Disable Windows Defender
- Establish remote access to infected systems
- Deploy ransomware to encrypt files and demand ransom
- Mine cryptocurrency using victims’ computing power
- Steal sensitive information, including login credentials
Interestingly, all shell scripts in the encrypthub project start by sending a message to a Telegram account, providing details such as the system’s computer name, username, and geolocation. While SonicWall’s analysis has not yet observed all components being used in a single attack, the presence of these tools highlights the potential for multi-staged, complex malware campaigns.
SonicWall strongly advises users to:
- Download software only from official and reputable websites.
- Be vigilant and cautious when installing software programs, especially if unsure of the source.
- Keep antivirus and anti-malware software updated to detect and block malicious activities.
- Regularly back up important data to mitigate the impact of ransomware attacks.
Related Posts:
- Google TAG Alerts on Exploitation of WinRAR Vulnerability by State-Backed Hackers
- Hackers exploit CVE-2023-38831 zero-day vulnerability in WinRAR
- WinRAR Code Execution Vulnerability
- APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies
- Malware Exploiting IoT Devices on the Rise, SonicWall Warns
