A newly discovered malware campaign is using fake WinRAR download sites to deliver the dangerous Winzipper malware directly to unsuspecting users.
The attack emerged from links distributed across various Chinese websites, targeting users who attempt to download the popular file compression tool from non-official sources.
This trojanized installer presents a significant threat to anyone seeking quick software solutions without verifying legitimate download sources.
The attackers exploit the widespread practice of downloading WinRAR from third-party websites by packaging harmful code alongside the real installer.
Once executed, the malware begins profiling the target system by accessing Windows profile information, allowing it to select and deploy the most effective payload for each victim.
This adaptive approach ensures maximum success rates across different computer configurations, making the threat particularly dangerous for both personal and business environments.
Malwarebytes analysts identified this sophisticated attack after discovering the initial suspicious file hidden within multiple protective layers of code obfuscation and compression.
Infection mechanism
The infection mechanism reveals a complex multi-stage delivery system designed specifically to evade detection.
The original file, named winrar-x64-713scp.zip, contains a UPX-packed executable that uses deliberate anomalies in its structure to complicate analysis.
.webp "Beware of Fake WinRAR Website That Delivers Malware with WinRAR Installer 3")
When unpacked with specialized tools, the file exposes two embedded programs: the legitimate WinRAR installer and a password-protected archive named setup.hta.
The setup.hta archive represents the actual malicious component, which remains obfuscated until runtime when it gets unpacked directly into system memory.
This memory-resident technique prevents simple file-based detection methods from identifying the threat. During dynamic analysis on isolated systems, researchers discovered the file spawns nimasila360.exe, a component associated with the Winzipper malware family.
Once installed, Winzipper operates as a backdoor trojan, providing attackers with remote access to compromised machines.
The malware enables data theft, unauthorized system control, and installation of secondary malware payloads, all while appearing as a legitimate file archive utility. Users typically remain unaware of the infection until significant damage occurs.
The compromised domains include winrar-tw.com, winrar-x64.com, and winrar-zip.com, all currently blocked by Malwarebytes protection systems.
Users should download WinRAR exclusively from official sources and maintain current anti-malware protection to prevent infection from these fake installer campaigns.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
