WinRAR is the best-known file compressor that we can find for any computer system. This program is the creator of the famous RAR format, and its eternal 40-day trial version that has given rise to so many comments and “memes” throughout history. An archiver, like WinRAR, is essential for anyone who uses a computer and, above all, downloads files from the Internet.
Antiviruses are generally prepared to analyze compressed files. For example, when we download a file from the Internet, the security program searches inside for any threat. The same thing happens when we run it and, of course, when we try to unzip it. However, they have found a technique with which antiviruses are not capable of analyzing the files before copying them and executing them on the PC: using self-extracting files, or SFX.
This is how WinRAR SFX threats work
SFX archives are a type of archive that can be created by WinRAR, or other programs such as 7-zip, which are designed to be self-extracting, that is, they can be decompressed without using a file compressor, simply by double-clicking. This format is designed, above all, to share compressed files with users who do not have the program installed.
A self-extracting file has the same properties as a normal compressed file, that is, we can reduce its size, apply certain settings, and even password protect data to prevent unauthorized users (and antivirus) from reading its content.
Taking advantage of this technique, a group of hackers have been taking advantage of the “utilman.exe” tool, a Windows accessibility tool that runs before you log in to your PC, to run a password-protected SFX file, so that it could execute commands on the affected computer.
The self-extracting archive originally hid just an empty text file, but this was just a decoy. Actually, security researchers discovered that this technique was being used to execute CMD and PowerShell commands simply by opening this SFX file. Running the file opened a back door on the PC, which was used to remotely connect to the affected computer.
How to protect ourselves
It is difficult for antiviruses to detect this type of threat. And surely security firms are not now focused on improving their programs to detect a typical threat from 10 or 15 years ago. Therefore, the security of our systems depends directly on us.
To avoid falling into the clutches of pirates, it is necessary to pay close attention to the types of files that we execute. We must also be careful with the SFX files that we download from the Internet and execute, and use special tools to search for possible hidden commands and scripts in these files.
