CrowdStrike researchers have discovered that SFX archives used to share compressed files with those who do not have WinRAR on their computers are being exploited to hide infected files capable of installing backdoors that bypass operating system security measures.
Cybercriminals use WinRAR SFX archives to install a backdoor after gaining access to Windows with stolen credentials by adding a key to the registry that uses the Utilman application to run the SFX file before login.
The malware runs in the background and users see a ‘bait’ document on their screens.
A Trustwave blog post published in October 2022 details how the notorious Emotet botnet was sending out an SFX archive that, once opened by a user, would automatically extract a second password-protected SFX archive, enter the password, and execute its content without further user input. The archive also displayed a decoy file to avoid raising suspicions.
The researchers suggest that users should examine the contents of an SFX archive and identify any dangerous commands before running the file, as many anti-virus programs do not detect this type of threat.
Indicators of compromise