How cybercriminals secretly build in backdoors via SFX archives
by Tina Siering
Sophisticated attack vector bypasses traditional anti-virus software
Cybercriminals abuse SFX (Self-Extracting Archives) archives to undetectably install a backdoor in the victim's environment and execute PowerShell.
SFX archives (Self-Extracting Archives) is a data archive that is designed as an executable file and contains a so-called decompressor stub (a short program code) for this purpose. Therefore, no special software, such as WinRAR or 7-ZIP, is needed to unpack the compressed file. They are often used for programme installation.
During an analysis, the CrowdStrike security team discovered a password-protected SFX file that had been placed on a victim's system by attackers. It did not contain any malicious code, but merely an empty text file. Its actual function was to abuse WinRAR's setup options via integrated SFX script commands.
As a result, PowerShell, Windows Command Prompt (cmd.exe) and Task Manager (with system privileges) were executed and the file was automatically extracted without displaying a dialogue box or window.
Although the archive did not contain any malware, the attacker had managed to create an SFX archive by adding commands in the setup menu, which installed a backdoor in the attacked system.
Illustration of attack chain
This type of attack is not detected by conventional antivirus software in the rules, as it is focused on finding malicious code in archives, but not on the behaviour of an SFX archive decompressor stub.
- To protect themselves, users should always take extra care with SFX archives and use special software to check the contents of the archive for executable scripts or commands. WinRAR, for example, offers a number of advanced SFX options that allow you to add a list of automatically executable files, e.g. to overwrite existing files in the destination folder if entries with the same name exist.
- Check not only the content of an SFX archive, but also the functions provided by the SFX archive decompressor stub in order to detect hidden commands at an early stage.
- If you receive an SFX-Archive that contains a zero-byte file, be especially careful. Check it for additional functions and use packing programmes for decompression.