WinRAR SFX archives can run PowerShell without being detected

Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system.

Self-extracting archives (SFX) created with compression software like WinRAR or 7-Zip are essentially executables that contain archived data along with a built-in decompression stub (the code for unpacking the data). SFX files can be password-protected to prevent unauthorized access.

The purpose of SFX files is to simplify distribution of archived data to users that do not have a utility to extract the package.

Password-protected SFX created with 7-Zip
source: CrowdStrike

 

Researchers at cybersecurity company CrowdStrike spotted the SFX abuse during a recent incident response investigation.

SFX attacks in the wild

Crowdstrike's analysis discovered an adversary that used stolen credentials to abuse 'utilman.exe' and set it to launch a password-protected SFX file that had been planted on the system previously.

Utilman is an accessibility application that can be executed before user login, often abused by hackers to bypass system authentication.

The utilman tool on login screen
source: CrowdStrike

 

The SFX file triggered by utilman.exe is password-protected and contains an empty text file that serves as a decoy.

The real function of the SFX file is to abuse WinRAR’s setup options to run PowerShell, Windows command prompt (cmd.exe), and task manager with system privileges.

Taking a closer look at the technique used, Jai Minton of CrowdStrike found that the attacker had added multiple commands to run after the target extracted the archived text file.

While there is no malware in the archive, the threat actor added commands under the setup menu for creating an SFX archive that would open a backdoor on the system.

Commands in WinRAR SFX setup that allow backdoor access
source: CrowdStrike

 

As seen in the image above, the comments show that the attacker customized the SFX archive so that there is no dialog and window displayed during the extraction process. The threat actor also added instructions to run PowerShell, command prompt, and task manager.

WinRAR offers a set of advanced SFX options that allow adding a list of executables to run automatically before or after the process, as well as overwrite existing files in the destination folder if entries with the same name exist.

“Because this SFX archive could be run from the logon screen, the adversary effectively had a persistent backdoor that could be accessed to run PowerShell, Windows command prompt and task manager with NT AUTHORITY\SYSTEM privileges, as long as the correct password was provided,” explains Crowdstrike.

“This type of attack is likely to remain undetected by traditional antivirus software that is looking for malware inside of an archive (which is often also password-protected) rather than the behavior from an SFX archive decompressor stub,” the researchers add.

Observed attack chain
source: CrowdStrike

 

Crowdstrike claims that malicious SFX files are unlikely to be caught by traditional AV solutions. In our tests, Windows Defender reacted when we created an SFX archive customized to run PowerShell after extraction.

Microsoft's security agent detected the resulting executable as a malicious script tracked as Wacatac and quarantined it. However, we recorded this reaction only once and could not replicate it.

The researchers advise users to pay particular attention to SFX archives and use appropriate software to check the content of the archive and look for potential scripts or commands scheduled to run upon extraction.

Source