Attackers switch to self-extracting password-protected archives to distribute email malware

Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.

“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.

Self-extracting archives with batch scripts

In recent spam campaigns observed by Trustwave attackers distributed ZIP or ISO archives disguised as invoices. Both file types can be opened natively on Windows without the use of additional applications.

These archives served as a container for executable files with PDF or Excel icons. These files are actually RAR self-extracting (SFX) archives themselves, which, if executed, unpack several other files in a predefined directory: a .bat script, a decoy PDF file, and another .exe files that’s a secondary password-protected RAR self-extracting archive.

One feature of SFX archives is that they support the execution of script commands. The primary archive is configured to execute the .bat script and to open the decoy PDF file. The .bat script will in turn execute the secondary SFX archive while also supplying the password for it without the user having to enter it. “In later samples, some of the RARsfx archives do not have a decoy file, and moreover, the destination path of the RARsfx components is changed to the %temp% folder,” the researchers said.

The secondary SFX archive contains the malicious payload written in .NET and obfuscated with ConfuserEX, a free and open-source protector for .NET applications.

Cryptocurrency miners and RATs

Trustwave has detected two payloads being distributed through this technique so far: a cryptocurrency miner called CoinMiner and a remote access Trojan (RAT) called QuasarRat.

In addition to cryptocurrency mining, CoinMiner can steal data from browsers and Microsoft Outlook profiles. It also collects information about the infected system using the Windows Management Instrumentation (WMI) interface and sends it to the command-and-control server. Finally, it drops a VBS script in the startup folder to ensure its persistence across system reboots.

QuasarRat is an open-source Trojan program that’s been around since 2014 and has been used by many groups due to its public availability and versatility.

“The self-extracting archive has been around for a long time and eases file distribution among end users,” the Trustwave researchers said. “However, it poses a security risk since the file contents are not easily verifiable, and it can run commands and executables silently. The attack technique we detailed only requires one click, and no password input is required to compromise a target. As a result, threat actors can perform a multitude of attacks like cryptojacking, data theft, ransomware, etc.”

Even if this technique is intended to hide the final payloads from email security gateways by hiding them in password-protected archives that these products cannot unpack, the presence of executable files – which SFX archive are – packaged inside .ZIP or .ISO files should still trigger alerts and cause users to think twice before clicking on them.