Roshal Archives (RAR) – named after their creator, Eugene Roshal – are compressed archives used for bundling files together into a single download-friendly or storage-friendly package. They’re comparable to ZIP files in terms of their utility, but they notably offer more advanced compression, error recovery and file spanning capabilities than ZIP does.

While RAR files have myriad practical benefits, they also come with serious security implications – particularly in the context of file uploads, email attachments, and endpoint exposure.

In this article, you’ll learn exactly what RAR files are and how they’re structured. You’ll also learn how they specifically differ from ZIP files – and why that difference in structure can make them a preferred attack vector for certain threat actors. We’ll break down some of the most common techniques used to weaponize RAR archives, and we’ll explore a real-world RAR-based attack and CVE example. At the end, we’ll explain how Cloudmersive’s Advanced Virus Scan API unpacks RAR archives and identifies hidden threats within them.

Understanding How RAR Archives Are Structured

RAR files use a proprietary compression format designed for efficient storage and multi-part archiving. They can carry multiple compressed files and folders, and – unlike ZIP – they natively support the option to split large archives into multiple volumes. This makes it easier to store and transfer larger files via RAR, which is particularly advantageous when file size limitations on storage devices (or email attachments) come into play.

While ZIP files allow for a more open and straightforward file structure, RAR files use a considerably more complex and less extensively documented format. RAR file structure is proprietary, requiring specialized software like WinRAR (the original RAR software, also created by Eugene Roshal) to create, open, extract, and manage it. This largely explains why ZIP is the more popular compressed archive format overall – and it also explains why RAR is considered more difficult to inspect with traditional security tools, especially when encryption or volume splitting is involved. Any archive-based threat vector is a security headache, but RAR is chief among them.

Why RAR Files are Effective Attack Vectors

An opaque format like RAR gives attackers a significant edge in sneaking malicious content past antivirus (AV) scanners. For starters, RAR files support password protection (just like ZIP), and that alone can prevent weakly configured AV policies from inspecting the full archive. Any automated system relying on tools being able to see inside a file and analyze it will need to employ specific policies against secured or encrypted RAR archives to fully vet their content.

The list of RAR-based threats far exceeds basic malware iterations, too. Threat actors can bury malicious scripts, executables, and dozens of other unique payloads deep inside a RAR file’s nested directory structure. The metadata and internal structure of a RAR file can be manipulated to appear harmless - or even to further obfuscate its malicious contents. The multi-volume feature RAR offers can also be exploited to devastating effect; attackers can break malicious payloads into multiple parts, forcing security policies to analyze each part together to identify the cohesive threat.

Common Attack Techniques Using RAR Files

Below, we'll go a few of the most common ways RAR files are used to pass malicious payloads to our environment.

Phishing Attachments

Email phishing campaigns using complex, highly exploitable file types like RAR isn’t anything new – but they remain a pervasive and effective attack vector.

Malicious RAR email attachments can hide any number of unique and dangerous file types – like disguised executable files (i.e., .scr or .exe), for example – which might be engineered to appear as harmless images or PDFs when viewed within the archive. Threat actors like to bury innocuous-looking files within archives to lull users into a false sense of security; once opened, these files can instantly drop malware or establish persistence on the user’s machine.

Payload Obfuscation

Signature-based malware detection and content verification policies work well when an AV engine can directly access the contents of any given file. Since RAR files are compressed archives capable of holding dozens upon dozens of individual files at once, AV engines need to scan all the way through them to identify individual instances of threatening content. If an AV engine scans RAR archives alone for malware signatures, or only validates the RAR structure is well-formed itself – failing to unpack each independent subfile and analyze them for threats independently – it will fail to perform a crucial security function.

Exploiting AV engines which inadequately scan compressed archive subfiles is straightforward for novice and sophisticated threat actors alike. Attackers can compress one malicious file among dozens of clean, legitimate files in a RAR archive to avoid AV detection and additionally increase their chances of tricking victims who open the archive later.

Compressed Multi-Stage Malware Installers

As we covered earlier, the structured, multi-part archive format that RAR offers allows attackers to package and organize multiple files into a single archive file. Attackers can create archives with controlled order and optional compression, making them ideal for staging multi-step installations post extraction.

Multi-step installation in this case means forming a complete attack chain. For example, a single RAR archive might contain an initial dropper script, configuration files, and a secondary payload, and all three components might be coordinated to initiate installation once the archive is extracted.

When investigating malicious RAR archives structured in this esoteric way, even the more advanced security tools won't necessarily analyze the full contents or execution logic. This may result in the executable content appearing suspicious but inert in post-scan diagnostics.

Leveraging Compression to Bypass Upload Restrictions

If a file upload workflow uses filters which only seek to root out obvious executable extensions, threat actors can slip malicious archives past security controls and into the underlying web server with ease. Once the archive reaches the server (or cloud storage container), it may be trusted and subsequently extracted or accessed by another system, allowing the embedded payload to execute indirectly.

RAR Attack in the Wild: Agent Tesla Campaign

In 2020, threat actors used RAR files (among several other compressed archive file types) to distribute the Agent Tesla keylogger – a popular remote access trojan (RAT) used for stealing credentials and tracking user activity. Archives containing executables disguised as PDFs were sent to unsuspecting victims via phishing emails; once they were extracted and opened, the executables quietly installed Agent Tesla in the background, giving the attacker access to victims’ keystrokes and clipboard data.

Even half a decade later, this attack remains a great example of how straightforward it can be for threat actors to embed executable malware within RAR format (and other compressed archive formats). Password protection and misleading file names helped bypass security checks with ease, and straightforward social engineering goaded users into activating the compressed executable content.

Mitigating RAR Threats with Cloudmersive’s Advanced Virus Scan API

Cloudmersive’s Advanced Virus Scan API scans the outer container of RAR files and inspects the contents of the archive – even when files are embedded deep within complex directory structures or contain multiple nested files themselves. This multi-layered inspection makes it possible to identify a wide range of threats, including known malware signatures, executables, scripts, macro-enabled documents, spoofed file content (e.g., executables disguised as images or PDFs), and more.

The Advanced Virus Scan API adds a crucial layer or protection in any environment which allows file uploads, receives email attachments, or handles automated document ingestion in any capacity. Blocking dangerous RAR files before storage, extraction, and subfile opening prevents immediate system compromise and mitigates the risk of downstream threat exposure. The Advanced Virus Scan API can be integrated with individual web applications, deployed at the network edge or in defense of cloud storage containers as a no-code solution.

Conclusion

As powerful, flexible, and downright useful as RAR files are for compressing and bundling files, they also offer threat actors a reliable way to sneak malicious content past weakly configured scanners and unsuspecting users. Their complex structure, encryption capabilities, and ability to effectively obscure payloads positions them as a serious concern for any system accepting files from external networks.

For expert advice in deploying Cloudmersive’s Advanced Virus Scan API, please contact a member of our team.