Jump to content
  • WinRAR SFX archives can run PowerShell without being detected

    alf9872000

    • 534 views
    • 3 minutes
     Share


    • 534 views
    • 3 minutes

    Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system.

     

    Self-extracting archives (SFX) created with compression software like WinRAR or 7-Zip are essentially executables that contain archived data along with a built-in decompression stub (the code for unpacking the data). SFX files can be password-protected to prevent unauthorized access.

     

    The purpose of SFX files is to simplify distribution of archived data to users that do not have a utility to extract the package.

     

    protected-sfx.png

    Password-protected SFX created with 7-Zip
    source: CrowdStrike

     

    Researchers at cybersecurity company CrowdStrike spotted the SFX abuse during a recent incident response investigation.

    SFX attacks in the wild

    Crowdstrike's analysis discovered an adversary that used stolen credentials to abuse 'utilman.exe' and set it to launch a password-protected SFX file that had been planted on the system previously.

     

    Utilman is an accessibility application that can be executed before user login, often abused by hackers to bypass system authentication.

     

    utilman.png

    The utilman tool on login screen
    source: CrowdStrike

     

    The SFX file triggered by utilman.exe is password-protected and contains an empty text file that serves as a decoy.

     

    The real function of the SFX file is to abuse WinRAR’s setup options to run PowerShell, Windows command prompt (cmd.exe), and task manager with system privileges.

     

    Taking a closer look at the technique used, Jai Minton of CrowdStrike found that the attacker had added multiple commands to run after the target extracted the archived text file.

     

    While there is no malware in the archive, the threat actor added commands under the setup menu for creating an SFX archive that would open a backdoor on the system.

     

    SFXarchivebackdoor.png

    Commands in WinRAR SFX setup that allow backdoor access
    source: CrowdStrike

     

    As seen in the image above, the comments show that the attacker customized the SFX archive so that there is no dialog and window displayed during the extraction process. The threat actor also added instructions to run PowerShell, command prompt, and task manager.

     

    WinRAR offers a set of advanced SFX options that allow adding a list of executables to run automatically before or after the process, as well as overwrite existing files in the destination folder if entries with the same name exist.

     

    “Because this SFX archive could be run from the logon screen, the adversary effectively had a persistent backdoor that could be accessed to run PowerShell, Windows command prompt and task manager with NT AUTHORITY\SYSTEM privileges, as long as the correct password was provided,” explains Crowdstrike.

     

    “This type of attack is likely to remain undetected by traditional antivirus software that is looking for malware inside of an archive (which is often also password-protected) rather than the behavior from an SFX archive decompressor stub,” the researchers add.

     

    attack-chain.jpg

    Observed attack chain
    source: CrowdStrike

     

    Crowdstrike claims that malicious SFX files are unlikely to be caught by traditional AV solutions. In our tests, Windows Defender reacted when we created an SFX archive customized to run PowerShell after extraction.

     

    Microsoft's security agent detected the resulting executable as a malicious script tracked as Wacatac and quarantined it. However, we recorded this reaction only once and could not replicate it.

     

    The researchers advise users to pay particular attention to SFX archives and use appropriate software to check the content of the archive and look for potential scripts or commands scheduled to run upon extraction.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...