Security News > 2023 > April > Hackers Using Self-Extracting Archives Exploit for Stealthy Backdoor Attacks
An unknown threat actor used a malicious self-extracting archive file in an attempt to establish persistent backdoor access to a victim's environment, new findings from CrowdStrike show.
SFX files are capable of extracting the data contained within them without the need for dedicated software to display the file contents.
"Closer inspection of the SFX archive revealed that it functions as a password-protected backdoor by abusing WinRAR setup options rather than containing any malware," Minton explained.
Specifically, the file is engineered to run PowerShell, Command Prompt, and Task Manager with NT AUTHORITYSYSTEM privileges by providing the right password to the archive.
A month later, the infamous Emotet botnet was observed sending out an SFX archive that, once opened by a user, would automatically extract a second password-protected SFX archive, enter the password, and execute its content without further user interaction using a batch script.
To mitigate threats posed by this attack vector, it's recommended that SFX archives are analyzed through unarchiving software to identify any potential scripts or binaries that are set to extract and run upon execution.
- Hackers Exploit Outdated WordPress Plugin to Backdoor Thousands of WordPress Sites (source)
- Iranian Hackers Launch Sophisticated Attacks Targeting Israel with Powerless Backdoor (source)
- China's Mustang Panda Hackers Exploit TP-Link Routers for Persistent Attacks (source)
- Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise (source)
- Hackers Flood NPM with Bogus Packages Causing a DoS Attack (source)
- Azure admins warned to disable shared key access as backdoor attack detailed (source)
- 3CX confirms North Korean hackers behind supply chain attack (source)
- North Korean Hackers Uncovered as Mastermind in 3CX Supply Chain Attack (source)
- Russian hackers linked to widespread attacks targeting NATO and EU (source)
- Russia-Linked Hackers Launches Espionage Attacks on Foreign Diplomatic Entities (source)