Security News > 2023 > April > WinRAR SFX archives can run PowerShell without being detected
Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system.
Self-extracting archives created with compression software like WinRAR or 7-Zip are essentially executables that contain archived data along with a built-in decompression stub.
WinRAR offers a set of advanced SFX options that allow adding a list of executables to run automatically before or after the process, as well as overwrite existing files in the destination folder if entries with the same name exist.
"Because this SFX archive could be run from the logon screen, the adversary effectively had a persistent backdoor that could be accessed to run PowerShell, Windows command prompt and task manager with NT AUTHORITYSYSTEM privileges, as long as the correct password was provided," explains Crowdstrike.
In our tests, Windows Defender reacted when we created an SFX archive customized to run PowerShell after extraction.
The researchers advise users to pay particular attention to SFX archives and use appropriate software to check the content of the archive and look for potential scripts or commands scheduled to run upon extraction.