Hello, welcome to the Tuesday, February 26, 2019 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich.

And I'm recording from Augusta, Georgia.

Last week, Checkpoint disclosed a 15-year-old warner in the compression tool WinRRR.

While not installed by default on Windows systems, MinRRR is still quite popular and has sort of a significant following.

Now typically of course it's used for the RR compression format which tends to be more efficient and more space-saving than SIP.

But the vulnerability that the checkpoint uncovered is actually not related to the RAR format.

Instead, it's related to another format supported by WRRR and it's called the Ace Format.

It's other compression method and yes, it's also supported by this tool as well as other tools.

To make things more complicated, the WinRRR developers actually,, it's an old tool. They no longer have

the source code for the affected DLL. So what they instead did is they essentially just

removed ACE support from WinRAR and with that mitigated the vulnerability. So this

happened last week, but today I saw a report by 360 threat intelligence,

actually a tweet, where they say that there are now some mal-spammed exploits that are using

attachments that exploit this particular ace vulnerability in Winrarr. A sample of the exploit code was submitted to a virus total.

AV detection, well, it's sort of mixed at this point, and I would highly recommend that you expedite patching WinRRR.

If you still need ACE support, well, there are a number of alternative tools that will support this format for you.

In talking about malicious spam, DDA posted the latest greatest version of Sextortion.

This particular campaign

actually uses a QR code

to encode the Bitcoin address.

My guess here is

...