Fake WinRAR downloads hide malware behind a real installer

A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. When these links start to show up, that’s usually a good indicator of a new campaign.

So, I downloaded the file and started an analysis, which turned out to be something of a Matryoshka doll. Layer after layer, after layer.

WinRAR is a popular utility that’s often downloaded from “unofficial” sites, which gives campaigns offering fake downloads a bigger chance of being effective.

Often, these payloads contain self-extracting or multi-stage components that can download further malware, establish persistence, exfiltrate data, or open backdoors, all depending on an initial system analysis. So it was no surprise that one of the first actions this malware took was to access sensitive Windows data in the form of Windows Profiles information.

This, along with other findings from our analysis (see below), indicates that the file selects the “best-fit” malware for the affected system before further compromising or infecting it.

How to stay safe

Mistakes are easily made when you’re looking for software to solve a problem, especially when you want that solution fast. A few simple tips can help keep you safe in situations like this.

• Only download software from official and trusted sources. Avoid clicking links that promise to deliver that software on social media, in emails, or on other unfamiliar websites.
• Use a real-time, up-to-date anti-malware solution to block threats before they can run.

Analysis

The original file was called winrar-x64-713scp.zip and the initial analysis with Detect It Easy (DIE) already hinted at several layers.

Unzipping the file produced winrar-x64-713scp.exe which turned out to be a UPX packed file that required the --force option to unpack it due to deliberate PE anomalies. UPX normally aborts compression if it finds unexpected values or unknown data in the executable header fields, as that data may be required for the program to run correctly. The --force option tells UPX to ignore these anomalies and proceed with decompression anyway.

Looking at the unpacked file, DIE showed yet another layer: (Heur)Packer: Compressed or packed data[SFX]. Looking at the strings inside the file I noticed two RunProgram instances:

RunProgram="nowait:"1winrar-x64-713scp1.exe" "

RunProgram="nowait:"youhua163

These commands tell the SFX archive to run the embedded programs immediately after extraction, without waiting for it to complete (nowait).

Using PeaZip, I extracted both embedded files.

The Chinese characters “安装” complicated the string analysis, but they translate as “install,” which further piqued my interest. The file 1winrar-x64-713scp1.exe turned out to be the actual WinRAR installer, likely included to ease suspicion for anyone running the malware.

After removing another layer, the other file turned out to be a password-protected zip file named setup.hta. The obfuscation used here led me to switch to dynamic analysis. Running the file on a virtual machine showed that setup.hta is unpacked at runtime directly into memory. The memory dump revealed another interesting string: nimasila360.exe.

This is a known file often created by fake installers and associated with the Winzipper malware. Winzipper is a known Chinese-language malicious program that pretends to be a harmless file archive so it can sneak onto a victim’s computer, often through links or attachments. Once opened and installed, it quietly deploys a hidden backdoor that lets attackers remotely control the machine, steal data, and install additional malware, all while the victim believes they’ve simply installed legitimate software.

Indicators of Compromise (IOCs)

Domains:

winrar-tw[.]com

winrar-x64[.]com

winrar-zip[.]com

Filenames:

winrar-x64-713scp.zip

youhua163安装.exe

setup.hta (dropped in C:Users{username}AppDataLocalTemp)

Malwarebytes’ web protection component blocks all domains hosting the malicious file and installer.