Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks

 

According to recently discovered information from CrowdStrike, an unidentified individual utilized a harmful self-extracting archive (SFX) with the intention of gaining ongoing, covert entry to a target's system.

SFX files have the ability to extract their data without the requirement of specific software to exhibit the information in the file. They accomplish this by having a decompressor stub, which is a section of code that runs to unpack the compressed data.

Jai Minton, a researcher from CrowdStrike, points out that SFX archive files may also have concealed malicious features that are not easily noticeable to the person receiving the file and can evade technology-based scanning methods.

The cybersecurity company examined a scenario where illicit login details were employed to operate an authentic Windows utility known as Utility Manager (utilman.exe), thereby enabling access to a protected SFX file.

As a result, it becomes achievable by setting up a debugger (which is another program) in the Windows Registry for a particular application (such as utilman.exe), thus enabling the debugger to automatically initiate every time the said program is opened.

Utilizing utilman.exe is significant due to its ability to be accessed from the Windows login screen using the shortcut Windows logo key U. This may allow malicious actors to create backdoors through the Image File Execution Options Registry key.

According to Minton, after conducting a thorough examination of the SFX archive, it was discovered that instead of containing any malicious software, it operates as a backdoor that requires a password and exploits WinRAR setup settings.


The file is designed to allow access to PowerShell, Command Prompt and Task Manager with the privileges of NT AUTHORITYSYSTEM by entering the correct password into the archive.

According to Minton, traditional antivirus software is unlikely to detect this kind of attack because it mainly examines malware inside password-protected archives instead of monitoring the behavior of an SFX archive decompressor stub.

Before, cyber attackers have used SFX files to remain unnoticed in their attacks. Kaspersky reported in September 2022 about a malicious scheme that utilized password-protected SFX files as a means to spread RedLine Stealer malware.

A month after, the well-known Emotet botnet was seen to be distributing a self-extracting (SFX) archive. Once a user opens it, this archive automatically extracts another password-protected SFX archive, requires a password to enter, and executes its contents without any additional interaction from the user through a batch script.

To lessen the risks associated with this type of attack, it is advised to use software that unpacks SFX archives and checks for any scripts or programs that may be extracted and run upon activation.

Post a Comment

Previous Post Next Post