Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability

MITRE Techniques

• [T1583 ] Acquire Infrastructure – RomCom sets up VPSes and registers domains to support C2 and delivery (“RomCom sets up VPSes and buys domain names.”).
• [T1587.001 ] Develop Capabilities: Malware – RomCom develops malware in multiple languages (“RomCom develops malware in multiple programming languages.”).
• [T1587.004 ] Develop Capabilities: Exploits – RomCom may develop exploits used for initial compromise (“RomCom may develop exploits used for initial compromise.”).
• [T1588.005 ] Obtain Capabilities: Exploits – RomCom may acquire exploits used for initial compromise (“RomCom may acquire exploits used for initial compromise.”).
• [T1588.006 ] Obtain Capabilities: Vulnerabilities – RomCom may obtain vulnerability information for targeting (“RomCom may obtain information about vulnerabilities that it uses for targeting victims.”).
• [T1608 ] Stage Capabilities – RomCom stages malware on multiple delivery servers (“RomCom stages malware on multiple delivery servers.”).
• [T1566.001 ] Phishing: Spearphishing Attachment – Campaigns delivered weaponized RAR attachments as CV/spearphishing (“RomCom compromises victims with a malicious RAR attachment sent via spearphishing.”).
• [T1204.002 ] User Execution: Malicious File – Victims are lured to open a RAR that exploits WinRAR to run malicious files (“RomCom lures victims into opening a weaponized RAR archive containing an exploit.”).
• [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – LNK files are placed in the Startup folder for persistence (“For persistence, RomCom stores a LNK file in the Startup folder.”).
• [T1546.015 ] Event Triggered Execution: Component Object Model Hijacking – COM hijacking via CLSID/InprocServer32 to load msedge.dll (“RomCom hijacks CLSIDs for persistence.”).
• [T1497 ] Virtualization/Sandbox Evasion – Samples check RecentDocs count before executing shellcode to evade sandboxes (“RomCom detects virtual environments by checking for enough RecentDocs.”).
• [T1480 ] Execution Guardrails – Malware checks hardcoded domain and other guards to avoid non-targets (“RomCom stops execution if running in a virtual environment. It also checks for a hardcoded domain name before executing.”).
• [T1036.001 ] Masquerading: Invalid Code Signature – Actors use invalid code-signing certificates to appear legitimate (“RomCom tries to appear more legitimate to users and security tools that improperly handle digital signatures.”).
• [T1027.007 ] Obfuscated Files or Information: Dynamic API Resolution – Malware decrypts and resolves APIs dynamically (“RomCom decrypts and resolves API dynamically.”).
• [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Shellcode and strings are encrypted/encoded and decrypted at runtime (“RomCom decrypts shellcode based on filename and machine artifacts.”).
• [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Backdoor collects passwords/cookies via a browser stealer module (“The RomCom backdoor collects passwords, cookies, and sessions using a browser stealer module.”).
• [T1552.001 ] Unsecured Credentials: Credentials In Files – Backdoor collects credentials from files during reconnaissance (“The RomCom backdoor collects passwords using a file reconnaissance module.”).
• [T1087 ] Account Discovery – Backdoor collects usernames, computer, and domain data (“The RomCom backdoor collects username, computer, and domain data.”).
• [T1518 ] Software Discovery – Backdoor enumerates installed software and versions (“The RomCom backdoor collects information about installed software and versions.”).
• [T1021 ] Remote Services – Backdoor creates SSH tunnels for lateral movement (“The RomCom backdoor creates SSH tunnels to move laterally within compromised networks.”).
• [T1560 ] Archive Collected Data – Collected data is packaged into ZIP archives for exfiltration (“The RomCom backdoor stores data in a ZIP archive for exfiltration.”).
• [T1185 ] Man in the Browser – Backdoor steals browser cookies, history, and saved passwords (“The RomCom backdoor steals browser cookies, history, and saved passwords.”).
• [T1005 ] Data from Local System – Backdoor collects files by extension from the local system (“The RomCom backdoor collects specific file types based on file extensions.”).
• [T1114.001 ] Email Collection: Local Email Collection – Backdoor collects .msg/.eml/.email files (“The RomCom backdoor collects files with .msg, .eml, and .email extensions.”).
• [T1113 ] Screen Capture – Backdoor takes screenshots of the victim’s computer (“The RomCom backdoor takes screenshots of the victim’s computer.”).
• [T1071.001 ] Application Layer Protocol: Web Protocols – C2 uses HTTP/HTTPS for communications (“The RomCom backdoor uses HTTP or HTTPS as a C&C protocol.”).
• [T1573.002 ] Encrypted Channel: Asymmetric Cryptography – Communications encrypted using SSL certificates (“The RomCom backdoor encrypts communication using SSL certificates.”).
• [T1041 ] Exfiltration Over C2 Channel – Data exfiltration occurs over HTTPS C2 channels (“The RomCom backdoor exfiltrates data using the HTTPS C&C channel.”).
• [T1657 ] Financial Theft – Operations target companies for financial gain (“RomCom compromises companies for financial interest.”).