This variation on an old technique does not require the victim to provide a password to execute the malware. Credit: Thinkstock Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.Self-extracting archives with batch scriptsIn recent spam campaigns observed by Trustwave attackers distributed ZIP or ISO archives disguised as invoices. Both file types can be opened natively on Windows without the use of additional applications. These archives served as a container for executable files with PDF or Excel icons. These files are actually RAR self-extracting (SFX) archives themselves, which, if executed, unpack several other files in a predefined directory: a .bat script, a decoy PDF file, and another .exe files that’s a secondary password-protected RAR self-extracting archive. One feature of SFX archives is that they support the execution of script commands. The primary archive is configured to execute the .bat script and to open the decoy PDF file. The .bat script will in turn execute the secondary SFX archive while also supplying the password for it without the user having to enter it. “In later samples, some of the RARsfx archives do not have a decoy file, and moreover, the destination path of the RARsfx components is changed to the %temp% folder,” the researchers said.The secondary SFX archive contains the malicious payload written in .NET and obfuscated with ConfuserEX, a free and open-source protector for .NET applications. Cryptocurrency miners and RATsTrustwave has detected two payloads being distributed through this technique so far: a cryptocurrency miner called CoinMiner and a remote access Trojan (RAT) called QuasarRat.In addition to cryptocurrency mining, CoinMiner can steal data from browsers and Microsoft Outlook profiles. It also collects information about the infected system using the Windows Management Instrumentation (WMI) interface and sends it to the command-and-control server. Finally, it drops a VBS script in the startup folder to ensure its persistence across system reboots.QuasarRat is an open-source Trojan program that’s been around since 2014 and has been used by many groups due to its public availability and versatility. “The self-extracting archive has been around for a long time and eases file distribution among end users,” the Trustwave researchers said. “However, it poses a security risk since the file contents are not easily verifiable, and it can run commands and executables silently. The attack technique we detailed only requires one click, and no password input is required to compromise a target. As a result, threat actors can perform a multitude of attacks like cryptojacking, data theft, ransomware, etc.”Even if this technique is intended to hide the final payloads from email security gateways by hiding them in password-protected archives that these products cannot unpack, the presence of executable files – which SFX archive are – packaged inside .ZIP or .ISO files should still trigger alerts and cause users to think twice before clicking on them. Related content feature Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Sometimes it's not really clear why a company wants to hire a CISO or the role lacks authority. There are some key questions that CISOs can ask to avoid taking a job with too many red flags. By Aimee Chanthadavong Apr 29, 2024 8 mins CSO and CISO Careers opinion Navigating personal liability: post data-breach recommendations for CISOs CISOs can avoid being liable for data breaches by following legal advice, communicating effectively with internal and external stakeholders, and demonstrating commitment to avoid future incidents. By Daniel B. Garrie and Richard A Kramer Apr 29, 2024 8 mins CSO and CISO Data Breach Legal news 2024 CSO30 ASEAN Awards: Call for nominations By Xiou Ann Lim Apr 29, 2024 2 mins Security feature The biggest data breach fines, penalties, and settlements so far Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $4.4 billion and counting. By Shweta Sharma and Michael Hill Apr 26, 2024 16 mins Data Breach Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe