SonicWall has issued a critical cybersecurity alert regarding a fraudulent website, win-rar.co, which closely imitates the legitimate WinRar site (win-rar.com). This deceptive site exploits a common typing error—omitting the “-m” in “.com”—to mislead unsuspecting users into downloading malicious software masquerading as the popular data compression and encryption tool, WinRar.
Once users land on the fake website, they are prompted to download a malicious shell script designed to launch a multi-stage malware attack. This script subsequently fetches additional destructive components from a GitHub repository named “encrypthub,” from which a range of harmful tools can be deployed. These tools allow attackers to disable critical security features such as Windows Defender, gain remote access to compromised systems, encrypt files with ransomware, leverage infected machines for cryptocurrency mining, and exfiltrate sensitive data, including user credentials.
Alarmingly, the initiated shell scripts communicate with an attacker-controlled Telegram account, transmitting vital system information like computer names, usernames, and geolocations. While not all components have been observed in conjunction during a single attack scenario, the presence of these malicious tools suggests a high potential for sophisticated malware campaigns.
To safeguard against such threats, SonicWall emphasizes the importance of downloading software strictly from official and reputable sources, exercising caution during software installations, maintaining updated antivirus solutions, and routinely backing up critical data to mitigate potential ransomware impacts.