Security researchers have discovered malicious WinRAR SFX files, specially designed to install backdoors and take control of personal computers. Be very careful with them because they look harmless and are not detected by standard antiviruses.

WinRAR SFX are a special type of compressed files. They can be created using applications like WinRAR or 7-ZIP and are very useful because of their quality self-extraction. This means that the user receiving these files does not need to have any software installed to decompress the file. They are certainly useful because they facilitate their distribution, but in the hands of cybercriminals they are just as dangerous as the latest case uncovered by CrowdStrike.

One of the advanced features of this type of archive is the ability to include extended SFX commands that run when you unzip it. Among these commands is a configuration option that is used to specify the type of executable, and we have seen this ability exploited in the past when the Emotet botnet installed malware.

However, a malicious SFX file may not contain malware and can instead be used to invoke commands using native tools as part of the decompression snippet functions. This is the case with the available information, where the authors designed SFX files to run the Windows Advanced Console, PowerShell, Command Prompt, and Task Manager.

Once the console is opened, the file sets up a debugger in the Windows registry that it passes as a parameter to the specified executable. It is an accessibility application that can be launched before the user logs in. As such, attackers run a binary of their choice at the Windows logon screen, bypassing the need to authenticate to the system if credentials are unknown.

If they manage to slip in, pretend to be dead, because binaries that are executed using this method are executed under the local system account (NT AUTHORITY\SYSTEM), which allows commands to be executed with higher privileges than the administrator account. Furthermore, since these binaries are usually password protected, even if it is possible to enable them to run with the debugger, they cannot be recovered without the correct password. The execution path of this attack is ‘utilman.exe’, well known for bypassing passwords on Windows systems.

In conclusion, since these WinRAR SFX files do not contain any type of malware, it is likely that traditional antivirus software (which usually looks for malware inside files) not reveal them. On the contrary, it creates a backdoor through which an attacker can execute various commands and scripts to gain full control of the computer.

In general, special care should be taken with compressed files as they are widely used to distribute malware, but much more so with this special type of self-extracting files.