An unknown risk actor used a malicious self-extracting archive (SFX) file in an try to determine persistent backdoor entry to a sufferer’s atmosphere, new findings from CrowdStrike present.
SFX recordsdata are able to extracting the information contained inside them with out the necessity for devoted software program to show the file contents. It achieves this by together with a decompressor stub, a chunk of code that is executed to unpack the archive.
“However, SFX archive recordsdata also can comprise hidden malicious performance that will not be instantly seen to the file’s recipient, and could possibly be missed by technology-based detections alone,” CrowdStrike researcher Jai Minton mentioned.
In the case investigated by the cybersecurity agency, compromised credentials to a system have been used to run a reliable Windows accessibility utility known as Utility Manager (utilman.exe) and subsequently launch a password-protected SFX file.
This, in flip, is made attainable by configuring a debugger (one other executable) within the Windows Registry to a selected program (on this case, utilman.exe) in order that the debugger is robotically began each time this system is launched.
The abuse of utilman.exe can also be noteworthy as it may be launched immediately from the Windows login display by utilizing the Windows emblem key + U keyboard shortcut, probably enabling risk actors to configure backdoors through the Image File Execution Options Registry key.
“Closer inspection of the SFX archive revealed that it capabilities as a password-protected backdoor by abusing WinRAR setup choices relatively than containing any malware,” Minton defined.
Specifically, the file is engineered to run PowerShell (powershell.exe), Command Prompt (cmd.exe), and Task Manager (taskmgr.exe) with NT AUTHORITYSYSTEM privileges by offering the correct password to the archive.
“This sort of assault is prone to stay undetected by conventional antivirus software program that’s searching for malware inside an archive (which is commonly additionally password-protected) relatively than the conduct from an SFX archive decompressor stub,” Minton added.
Learn to Secure the Identity Perimeter – Proven Strategies
Improve what you are promoting safety with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter methods!
This is just not the primary time SFX recordsdata have been employed in assaults as a way for attackers to remain undetected. In September 2022, Kaspersky disclosed a malware marketing campaign that utilized hyperlinks to such password-protected recordsdata to propagate RedLine Stealer.
A month later, the notorious Emotet botnet was noticed sending out an SFX archive that, as soon as opened by a consumer, would robotically extract a second password-protected SFX archive, enter the password, and execute its content material with out additional consumer interplay utilizing a batch script.
To mitigate threats posed by this assault vector, it is really useful that SFX archives are analyzed by unarchiving software program to determine any potential scripts or binaries which are set to extract and run upon execution.