Threat actors exploiting WinRAR SFXs to add undetectable backdoors

An analysis by Crowdstrike cybersecurity researchers revealed that some threat actors are taking advantage of WinRAR self-extracting archives to run executables such as Powershell without being detected by traditional antivirus software, according to BleepingComputer. Crowdstrike staff reported that while conducting an incident response investigation, they discovered a password-protected SFX file that was planted on a victim's system by an adversary, who used stolen credentials to trigger it through the abuse of the Utilman application, which can be executed before user login and therefore bypasses system authentication. The SFX file contains a decoy empty text file and custom commands inputted during its creation that causes it to automatically execute PowerShell, command prompt, and task manager as well as to extract the file without creating a dialog or window. "Because this SFX archive could be run from the logon screen, the adversary effectively had a persistent backdoor that could be accessed to run PowerShell, Windows command prompt, and task manager with NT AUTHORITYSYSTEM privileges, as long as the correct password was provided," Crowdstrike reported.