Threat actors are adding malicious functionality to WinRAR self-extracting (SFX) archives to install persistent backdoors in target systems without detection. These SFX files contain decoy files that can launch PowerShell, command prompt, and task manager with system privileges.
Attacks using SFX files
According to CrowdStrike researchers, threat actors begin by planting a password-protected SFX file on the targeted system, created with WinRAR or 7-Zip.
- They gain access to a system using compromised credentials and attempt to abuse a legitimate Windows accessibility application called Utility Manager (utilman[.]exe).
- The application is subsequently set to configure a debugger (another executable) in the Windows Registry to a specific program. It will automatically start the debugger every time the program is launched.
- The utilman[.]exe triggers the SFX file that contains an empty text file as a decoy. The file is however designed to abuse WinRAR’s setup options to run PowerShell, add multiple commands, and create an SFX archive to open a backdoor on the system.
An apparently empty SFX archive file can be missed by technology-based detections and easily overlooked by defenders. However, when combined with a specific registry key, it may provide hackers with a persistent backdoor to a victim’s environment.
Why attackers chose utilman?
The abuse of utilman[.]exe enables threat actors to configure backdoors via the Image File Execution Options (IFEO) debugger in the Windows registry.
- Threat actors exploited the IFEO registry key to run binaries of their choice without authentication and bypass security measures on the target system.
- Even if the target users lack decompression software such as WinRAR or 7-Zip, SFX files seamlessly decompress and display the file contents without these software.
Wrapping up
The use of customized SFX archives allows attackers to run PowerShell and malicious scripts without triggering the security agent. To prevent such attacks, users are suggested to pay particular attention to SFX archives and use appropriate unarchiving software or other tools to check the archive's content. Moreover, it is recommended to scan the SFX archives for any added hidden functionalities.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/b606_shutterstock_1236426880.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/d28d_shutterstock_391239166.jpg)
