Security News > 2023 > April > Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks

An unknown threat actor used a malicious self-extracting archive file in an attempt to establish persistent backdoor access to a victim's environment, new findings from CrowdStrike show.

SFX files are capable of extracting the data contained within them without the need for dedicated software to display the file contents.

"Closer inspection of the SFX archive revealed that it functions as a password-protected backdoor by abusing WinRAR setup options rather than containing any malware," Minton explained.

Specifically, the file is engineered to run PowerShell, Command Prompt, and Task Manager with NT AUTHORITYSYSTEM privileges by providing the right password to the archive.

A month later, the infamous Emotet botnet was observed sending out an SFX archive that, once opened by a user, would automatically extract a second password-protected SFX archive, enter the password, and execute its content without further user interaction using a batch script.

To mitigate threats posed by this attack vector, it's recommended that SFX archives are analyzed through unarchiving software to identify any potential scripts or binaries that are set to extract and run upon execution.

News URL

https://thehackernews.com/2023/04/hackers-using-self-extracting-archives.html