WinRAR SFX archives can run PowerShell with out being detected
Hackers are including malicious performance to WinRAR self-extracting archives that comprise innocent decoy information, permitting them to plant backdoors with out triggering the safety agent on the goal system.
Self-extracting archives (SFX) created with compression software program like WinRAR or 7-Zip are basically executables that comprise archived information together with a built-in decompression stub (the code for unpacking the information). Entry to those information may be password-protected to stop unauthorized acces.
The aim of SFX information is to simplify distribution of archived information to customers that shouldn’t have a utility to extract the bundle.
Researchers at cybersecurity firm CrowdStrike noticed the SFX abuse throughout a current incident response investigation.
SFX assaults within the wild
Crowdstrike’s evaluation found an adversary that used stolen credentials to abuse ‘utilman.exe’ and set it to launch a password-protected SFX file that had been planted on the system beforehand.
Utilman is an accessibility software that may be executed earlier than consumer login, usually abused by hackers to bypass system authentication.
The SFX file triggered by utilman.exe is password-protected and incorporates an empty textual content file that serves as a decoy.
The actual perform of the SFX file is to abuse WinRAR’s setup choices to run PowerShell, Home windows command immediate (cmd.exe), and process supervisor with system privileges.
Taking a more in-depth have a look at the approach used, Jai Minton of CrowdStrike discovered that the attacker had added a number of instructions to run after the goal extracted the archived textual content file.
Whereas there isn’t any malware within the archive, the menace actor added instructions beneath the setup menu for creating an SFX archive that might open a backdoor on the system.
As seen within the picture above, the feedback present that the attacker personalized the SFX archive in order that there isn’t any dialog and window displayed throughout the extraction course of. The menace actor additionally added directions to run PowerShell, command immediate, and process supervisor.
WinRAR gives a set of superior SFX choices that permit including a listing of executables to run robotically earlier than or after the method, in addition to overwrite present information within the vacation spot folder if entries with the identical identify exist.
“As a result of this SFX archive may very well be run from the logon display, the adversary successfully had a persistent backdoor that may very well be accessed to run PowerShell, Home windows command immediate and process supervisor with NT AUTHORITYSYSTEM privileges, so long as the right password was offered,” explains Crowdstrike.
“The sort of assault is prone to stay undetected by conventional antivirus software program that’s on the lookout for malware within an archive (which is usually additionally password-protected) relatively than the habits from an SFX archive decompressor stub,” the researchers add.
Crowdstrike claims that malicious SFX information are unlikely to be caught by conventional AV options. In our assessments, Home windows Defender reacted after we created an SFX archive personalized to run PowerShell after extraction.
Microsoft’s safety agent detected the ensuing executable as a malicious script tracked as Wacatac and quarantined it. Nonetheless, we recorded this response solely as soon as and couldn’t replicate it.
The researchers advise customers to pay specific consideration to SFX archives and use acceptable software program to examine the content material of the archive and search for potential scripts or instructions scheduled to run upon extraction.