Security researchers have discovered malicious WinRAR SFX files, specially designed to install a backdoor and take control of personal computers. Be very careful with them because they look harmless and are not detected by standard antiviruses.
WinRAR SFX are a special type of compressed files. They can be created with applications like WinRAR or 7-ZIP and are very useful because they have the quality of self-extraction. That is, the user receiving these files does not need to have any software installed to decompress the file. They are certainly useful because they facilitate their distribution, but they are just as dangerous in the hands of cybercriminals like the latest case detected by the firm CrowdStrike.
One of the advanced features of this type of archive is the ability to include extended SFX commands, which are executed when you unzip it. Among these commands is a configuration option that is used to specify the type of executable, and we have seen this capability abused in the past with the installation of malware by the Emotet botnet.
However, a malicious SFX file does not need to contain malware and can instead be used to invoke commands using native tools as part of the decompressor stub functions. This is the case of the information at hand, where the authors have designed the SFX files to run the advanced Windows console, PowerShell, the command prompt and the task manager.
Once the console is opened, the file sets up a debugger in the Windows registry to pass as a parameter to the specified executable. It is an accessibility application that can be run before user login. As such, the attackers run a binary of their choice at the Windows login screen, bypassing the need to authenticate to a system in case access credentials are unknown.
If they manage to sneak in, give yourself up for dead, because binaries that are executed via this method are executed under the local system account (NT AUTHORITY\SYSTEM), which allows commands to be executed even with higher privileges than an administrator account. And on top of that, since these binaries are usually password protected, although it is possible to activate their execution with the debugger, it is not possible to unarchive it without the correct password. The execution path of this attack is ‘utilman.exe’, well known for password bypassing on Windows systems.
To conclude, since these WinRAR SFX files do not include any type of malware, it is likely that traditional antivirus software (which usually looks for malware inside the files) don’t detect them. On the contrary, it creates a back door with which the attacker can execute all kinds of commands and scripts to take full control of the computer.
In general, special care must be taken with compressed files because they are widely used to distribute malware, but with this special type of self-extracting files much more.