No suspicion tactics: WinRAR self-extracting archives

Threat actors are incorporating malevolent functions into WinRAR self-extracting (SFX) archives to surreptitiously install persistent backdoors on targeted systems. These SFX files are equipped with deceitful files that can initiate PowerShell, command prompt, and task manager with system privileges.

An unknown threat actor used a malicious self-extracting archive (SFX) file in an attempt to establish persistent backdoor access to a victim's environment, new findings from CrowdStrike show.#CyberAttack #informationsecurity #technology #Technical pic.twitter.com/JagZJPGco5

— Joseph Wilson (@JosephWilson202) April 6, 2023

Prodigy uncovered by Crowdstrike

According to CrowdStrike researchers, 

“Hackers initiate the attack by placing a password-protected SFX file on the targeted system, generated using WinRAR or 7-Zip.”

• They gain system access through compromised login credentials and try to exploit a legitimate Windows application for accessibility called Utility Manager (utilman[.]exe).

• Then, they configure a debugger (another executable) through the application in the Windows Registry for a specific program. This debugger is launched automatically every time the program runs.

• The utilman[.]exe activates the SFX file that features an empty text file as a decoy. However, this file is programmed to misuse WinRAR’s setup options to operate PowerShell, add several commands, and produce an SFX archive to create a backdoor into the system.

“New evidence indicates that core SFX archive functionality is being abused in different ways,” Crowdstrike. 

Warning! An ostensibly empty SFX archive file can go undetected by technology-based detections and can be easily overlooked by defenders. However, when used in conjunction with a specific registry key, it can offer hackers an enduring backdoor to a victim’s environment.

What must be done?

There is a workaround to these suspicious activities, by Crowdstrike.

• Inspect self-extracting (SFX) archives using tools that can unarchive them and reveal any possible scripts or executables set to extract and execute during execution.
• Go beyond the content within the SFX archive and scrutinize the features offered by the SFX archive decompressor stub itself to identify any instructions that will execute before, during, or after successful extraction.
• Establish a procedure to verify if a password-protected SFX archive includes any suspicious or malicious content.

I took a look into self-extracting (SFX) archive files, some of their uses in the wild, and how an adversary was attempting to leverage an empty archive with an IFEO debugger key for persistence.https://t.co/NLOVpnRpDN

This highlights why a empty SFX archive can be abused.

— Jai Minton (@CyberRaiju) April 3, 2023

• Thoroughly examine any SFX archive that contains only a null-byte file for any additional features.
• Whenever feasible, employ installed unarchiving software to extract or view an SFX archive instead of executing the archive itself. Because the archive is present as an overlay, it can also be extracted from the executable using a hex editor if necessary.

Concluding remarks

Paying attention to unarchiving software has become necessary with such malicious scripts in action. Also, using efficient scanning software and physical scanning is the key to cut-off extra functionalities. Many botnets and stealthy intruders have come to play with archiving SFX techniques. Beware and stay safe!