This variation on an old technique does not require the victim to provide a password to execute the malware. Credit: Thinkstock Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.Self-extracting archives with batch scriptsIn recent spam campaigns observed by Trustwave attackers distributed ZIP or ISO archives disguised as invoices. Both file types can be opened natively on Windows without the use of additional applications.These archives served as a container for executable files with PDF or Excel icons. These files are actually RAR self-extracting (SFX) archives themselves, which, if executed, unpack several other files in a predefined directory: a .bat script, a decoy PDF file, and another .exe files that’s a secondary password-protected RAR self-extracting archive. One feature of SFX archives is that they support the execution of script commands. The primary archive is configured to execute the .bat script and to open the decoy PDF file. The .bat script will in turn execute the secondary SFX archive while also supplying the password for it without the user having to enter it. “In later samples, some of the RARsfx archives do not have a decoy file, and moreover, the destination path of the RARsfx components is changed to the %temp% folder,” the researchers said.The secondary SFX archive contains the malicious payload written in .NET and obfuscated with ConfuserEX, a free and open-source protector for .NET applications. Cryptocurrency miners and RATsTrustwave has detected two payloads being distributed through this technique so far: a cryptocurrency miner called CoinMiner and a remote access Trojan (RAT) called QuasarRat.In addition to cryptocurrency mining, CoinMiner can steal data from browsers and Microsoft Outlook profiles. It also collects information about the infected system using the Windows Management Instrumentation (WMI) interface and sends it to the command-and-control server. Finally, it drops a VBS script in the startup folder to ensure its persistence across system reboots.QuasarRat is an open-source Trojan program that’s been around since 2014 and has been used by many groups due to its public availability and versatility.“The self-extracting archive has been around for a long time and eases file distribution among end users,” the Trustwave researchers said. “However, it poses a security risk since the file contents are not easily verifiable, and it can run commands and executables silently. The attack technique we detailed only requires one click, and no password input is required to compromise a target. As a result, threat actors can perform a multitude of attacks like cryptojacking, data theft, ransomware, etc.”Even if this technique is intended to hide the final payloads from email security gateways by hiding them in password-protected archives that these products cannot unpack, the presence of executable files – which SFX archive are – packaged inside .ZIP or .ISO files should still trigger alerts and cause users to think twice before clicking on them. Related content news Is China waging a cyber war with Taiwan? Nation-state hacking groups based in China have sharply ramped up cyberattacks against Taiwan this year, according to multiple reports. By Gagandeep Kaur Dec 01, 2023 4 mins Cyberattacks Government news Apple patches info-stealing, zero day bugs in iPads and Macs The vulnerabilities that can allow the leaking of sensitive information and enable arbitrary code execution have had exploitations in the wild. By Shweta Sharma Dec 01, 2023 3 mins Zero-day vulnerability feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe