Exploit in WinRAR SFX archives allows attackers to install backdoors silently

Threat actors are exploiting WinRAR self-extracting archives that contain decoy files to install backdoors undetected in target systems. SFX archives, which have been used for legitimate purposes, are designed to grant access to contents to users, including those who don't have compression software. Security detections may miss hidden malicious functionality within these archives. Researchers have discovered that an apparently empty SFX archive file can be risky, too, as it may provide hackers with a persistent backdoor to a victim’s environment when combined with a specific registry key.

Attackers are using password-protected SFX archives as backdoors by exploiting the Image File Execution Options debugger in the Windows registry, which allows them to run binaries of their choice without authenticating and bypass security measures. In a recent case, attackers pointed the debugger at an SFX archive that was password-protected, making it impossible to unarchive without the correct password. The attacker added commands under the WinRAR setup menu to make the archive function as a password-protected backdoor.

To prevent such attacks, it is suggested to use unarchiving software or other tools to examine SFX archives for potential scripts or executables set to extract and run upon execution. It is also advised to examine the SFX archive decompressor stub itself to identify any commands that will be run during, before, or after successful extraction rather than just examining the contents of the archive. Furthermore, it is recommended to carefully inspect any SFX archive that contains only a null-byte file for added functionality and to check the registry for SFX files set as a debugger.