Beware Of Fake WinRar Websites Delivering Ransomware via GitHub

The threat actors often exploit fake websites to trick users into revealing their personal data. Not only that, but these fake websites are also used to distribute malware, steal identities, and facilitate phishing attacks.

Cybersecurity researchers at SonicWall discovered a deceptive WinRar lookalike website that employs typosquatting to distribute malware. 

This initial infection triggers the download of multiple malicious components from GitHub, including ransomware, cryptomining software, and information-stealing malware.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

Fake WinRar Websites Delivering Ransomware

The fraudulent website win-rar[.]co exploits typosquatting to mimic the legitimate win-rar.com. 

It hosts zx.ps1, a malicious shell script that initiates the download of additional harmful components from GitHub. 

An investigation of the “encrypthub” GitHub project revealed a repository likely to contain the complete set of files used in this multi-stage malware attack.

A variety of malware tools is available in the “encrypthub” GitHub repository, which last week was updated to include:-

• Windows Defender exclusions
• HVNC with ngrok
• Ransomware
• Cryptominer
• Kematian Stealer
• Telegram reporting
• Shellcode injection
• A coordinating script

Every component will start by sending system information to a Telegram account.

However, no attacks involving all these components at once have been detected, but rather this store of weaponry represents the ability of threat actors for complex multi-stage intrusions.

This further connects the GitHub project to the typosquatting campaign by having shellcode.ps1, which mimics zx.ps1 on win-rar[.]co. To mitigate such threats, users are strongly advised to exercise caution during installations and verify software sources.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download