Threat actors exploit WinRAR self-extracting (SFX) archives containing decoy files by adding malicious functionality to install backdoors in target systems without detection.
SFX archives, which have been used for legitimate purposes, are designed to grant access to contents to users, including those who don’t have compression software. Security detections may miss hidden malicious functionality within these archives. Researchers have discovered that an apparently empty SFX archive file can be risky, too, as it may provide hackers with a persistent backdoor to a victim’s environment when combined with a specific registry key.
Attackers are using password-protected SFX archives as backdoors
Attackers are using password-protected SFX archives as backdoors by exploiting the Image File Execution Options debugger in the Windows registry, which allows them to run binaries of their choice without authenticating and bypass security measures.
Recently, threat hunters discovered that an attacker used compromised credentials to gain access to a system and tried to establish persistence by setting up an Image File Execution Options debugger in the Windows registry.
The attacker used a command line to configure the debugger in the Windows registry so that whenever utilman[.]exe (an accessibility application) was run, it would pass it as a parameter to the specified debugger executable.
Attackers often abuse utilman[.]exe to run a binary of their choice without authenticating, bypassing security measures. Binaries run through this method have elevated privileges as they are executed under the local system account (NT AUTHORITY\SYSTEM). This allows the execution of commands with higher privileges than a standard administrator account.
While this technique of abusing utilman[.]exe is not new, what was unusual in this case was that the binary being pointed to was an SFX archive that was password-protected, making it impossible to unarchive without the correct password.
WinRAR SFX archive files include a feature that allows to include extended SFX commands that will run once the file is unarchived. There is a setup option in these commands to specify the executables.
Recommendation
To prevent such attacks, it is suggested to use unarchiving software or other tools to examine SFX archives for potential scripts or executables set to extract and run upon execution.
It is also advised to examine the SFX archive decompressor stub itself to identify any commands that will be run during, before, or after successful extraction rather than just examining the contents of the archive.
Leave A Comment