Hackers are including malicious performance to WinRAR self-extracting archives that comprise innocent decoy recordsdata, permitting them to plant backdoors with out triggering the safety agent on the goal system.

Self-extracting archives (SFX) created with compression software program like WinRAR or 7-Zip are basically executables that comprise archived information together with a built-in decompression stub (the code for unpacking the information). Entry to those recordsdata may be password-protected to forestall unauthorized acces.

The aim of SFX recordsdata is to simplify distribution of archived information to customers that do not need a utility to extract the package deal.

Researchers at cybersecurity firm CrowdStrike noticed the SFX abuse throughout a current incident response investigation.

SFX assaults within the wild

Crowdstrike’s evaluation found an adversary that used stolen credentials to abuse ‘utilman.exe’ and set it to launch a password-protected SFX file that had been planted on the system beforehand.

Utilman is an accessibility software that may be executed earlier than person login, typically abused by hackers to bypass system authentication.

The SFX file triggered by utilman.exe is password-protected and comprises an empty textual content file that serves as a decoy.

The true perform of the SFX file is to abuse WinRAR’s setup choices to run PowerShell, Home windows command immediate (cmd.exe), and activity supervisor with system privileges.

Taking a more in-depth take a look at the method used, Jai Minton of CrowdStrike discovered that the attacker had added a number of instructions to run after the goal extracted the archived textual content file.

Whereas there isn’t any malware within the archive, the menace actor added instructions below the setup menu for creating an SFX archive that may open a backdoor on the system.

As seen within the picture above, the feedback present that the attacker personalized the SFX archive in order that there isn’t any dialog and window displayed through the extraction course of. The menace actor additionally added directions to run PowerShell, command immediate, and activity supervisor.

WinRAR presents a set of superior SFX choices that permit including a listing of executables to run mechanically earlier than or after the method, in addition to overwrite current recordsdata within the vacation spot folder if entries with the identical identify exist.

“As a result of this SFX archive could possibly be run from the logon display screen, the adversary successfully had a persistent backdoor that could possibly be accessed to run PowerShell, Home windows command immediate and activity supervisor with NT AUTHORITYSYSTEM privileges, so long as the proper password was offered,” explains Crowdstrike.

“One of these assault is more likely to stay undetected by conventional antivirus software program that’s on the lookout for malware within an archive (which is commonly additionally password-protected) reasonably than the conduct from an SFX archive decompressor stub,” the researchers add.

Crowdstrike claims that malicious SFX recordsdata are unlikely to be caught by conventional AV options. In our assessments, Home windows Defender reacted after we created an SFX archive personalized to run PowerShell after extraction.

Microsoft’s safety agent detected the ensuing executable as a malicious script tracked as Wacatac and quarantined it. Nevertheless, we recorded this response solely as soon as and couldn’t replicate it.

The researchers advise customers to pay specific consideration to SFX archives and use acceptable software program to verify the content material of the archive and search for potential scripts or instructions scheduled to run upon extraction.