Threat Research

Caution: Malware on Fake WinRar Websites Hosted on GitHub

CTI

Security researchers identified a fake WinRAR distribution site at win-rar.co that typosquats the legitimate WinRAR site to push malware components hosted on GitHub. The infection chain begins with a PowerShell-based shell script (zx.ps1) that sends system information to a Telegram account, followed by multi-stage malware including ransomware, cryptominer, and infostealer tooling hosted on a GitHub project named encrypthub. #WinRAR #win-rar.co #zx.ps1 #ShellcodePS1 #encrypthub #KematianStealer

Keypoints

  • The fake site URL is win-rar.co, designed to closely resemble the official win-rar.com site.
  • URL typosquatting can mislead users into visiting the malicious site.
  • The site hosts a malicious shell script named zx.ps1.
  • Malware components include ransomware, cryptominer, and infostealer capabilities.
  • All scripts start by sending system information to a Telegram account.
  • The malicious components are organized and hosted on a GitHub project page named encrypthub.
  • SonicWall offers protection via signatures and RTDMI/Capture Client technologies; users should only download software from official sources.

MITRE Techniques

  • [T1071.001] Application Layer Protocol – Using a fake website to lure users into downloading malware. ‘Using a fake website to lure users into downloading malware.’
  • [T1059.001] PowerShell – Executing the malicious shell script zx.ps1. ‘Executing the malicious shell script zx.ps1.’
  • [T1547.001] Registry Run Keys / Startup Folder – Potentially using registry keys to maintain persistence on the infected system. ‘Potentially using registry keys to maintain persistence on the infected system.’
  • [T1071] Application Layer Protocol – Sending system information to a Telegram account. ‘Sending system information to a Telegram account.’
  • [T1041] Exfiltration Over C2 Channel – Exfiltrating data through the established command and control channel. ‘Exfiltrating data through the established command and control channel.’

Indicators of Compromise

  • [Domain] win-rar.co – malicious fake site used to lure victims; 1st-stage delivery
  • [Domain] win-rar.com – legitimate site referenced for comparison (official WinRAR domain)
  • [File] zx.ps1 – malicious PowerShell shell script hosted on the fake site
  • [File] Shellcode.ps1 – copy of zx.ps1 on the GitHub page
  • [URL] encrypthub – main malware project page hosted on GitHub
  • [Directory] GitHub project components – Exclusions; HVNC; Locker; Miner; Stealer; Tgreport; Worm; Zakrep; Shellcode.ps1 (collection of tool directories/files)

Read more: https://blog.sonicwall.com/en-us/2024/08/beware-of-fake-winrar-websites-malware-hosted-on-github/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint