In the past, packed, self-extracting archives often contained malware. A new scam shows: self-extracting archives do not contain any malware, but execute commands when opened in Windows, which malware can then catch up on - according to Crowdstrike.
Many employees in companies rely on a packer such as ZIP, 7zip or WinRAR so that large files can be transported more quickly via email. Self-extracting archives are also popular in the business world. The archives are an EXE file and can be unpacked with a click. For example, even if Outlook blocks mail attachments with an EXE file, it still allows a ZIP file to be plugged into an EXE file. Good scanners have also detected the malware in double-packed archives. As a result, the attackers are now finding new ways to trap unsuspecting employees.
Emotet uses encrypted archives
At Emotet, an archive containing harmless decoy files and another but encrypted archive were sent to users. The scan only revealed harmless files since the encrypted part often cannot be examined. Hidden parameters and commands in the archive are not visible. If the self-extracting archive is now unpacked, the tool writes the packed files and starts the second, encrypted archive. The password is then passed to this archive via parameters, and the Emotet file is unpacked and executed.
Archives with chain of command
If a self-extracting archive – SFX for short – is executed with a click, the content is extracted. If, for example, malware is then written to the system, an endpoint security solution usually reliably fends it off. But: there is no malware in the archives found by Crowdstrike. Rather, the SFX files execute a chain of commands that you can give them quite regularly. In one recorded case, a registry key was passed to Windows via a parameter. This then meant that it was possible to run commands with higher rights than those of a standard administrator account.
Crowdstrike has recorded how these traps work in practice in a blog post and explains the individual traps of the examples found in the wild.
More at Crowdstrike.com
About CrowdStrike CrowdStrike Inc., a global leader in cybersecurity, is redefining security in the cloud age with its completely redesigned platform for protecting workloads and devices. The lean single-agent architecture of the CrowdStrike Falcon® platform uses cloud-scaled artificial intelligence and ensures protection and transparency across the company. This prevents attacks on end devices both inside and outside the network. With the help of the company's own CrowdStrike Threat Graph®, CrowdStrike Falcon correlates around 1 trillion endpoint-related events worldwide every day and in real time. This makes the CrowdStrike Falcon platform one of the world's most advanced data platforms for cybersecurity.