This variation on an old technique does not require the victim to provide a password to execute the malware. Credit: Thinkstock Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.Self-extracting archives with batch scriptsIn recent spam campaigns observed by Trustwave attackers distributed ZIP or ISO archives disguised as invoices. Both file types can be opened natively on Windows without the use of additional applications. These archives served as a container for executable files with PDF or Excel icons. These files are actually RAR self-extracting (SFX) archives themselves, which, if executed, unpack several other files in a predefined directory: a .bat script, a decoy PDF file, and another .exe files that’s a secondary password-protected RAR self-extracting archive. One feature of SFX archives is that they support the execution of script commands. The primary archive is configured to execute the .bat script and to open the decoy PDF file. The .bat script will in turn execute the secondary SFX archive while also supplying the password for it without the user having to enter it. “In later samples, some of the RARsfx archives do not have a decoy file, and moreover, the destination path of the RARsfx components is changed to the %temp% folder,” the researchers said.The secondary SFX archive contains the malicious payload written in .NET and obfuscated with ConfuserEX, a free and open-source protector for .NET applications. Cryptocurrency miners and RATsTrustwave has detected two payloads being distributed through this technique so far: a cryptocurrency miner called CoinMiner and a remote access Trojan (RAT) called QuasarRat.In addition to cryptocurrency mining, CoinMiner can steal data from browsers and Microsoft Outlook profiles. It also collects information about the infected system using the Windows Management Instrumentation (WMI) interface and sends it to the command-and-control server. Finally, it drops a VBS script in the startup folder to ensure its persistence across system reboots.QuasarRat is an open-source Trojan program that’s been around since 2014 and has been used by many groups due to its public availability and versatility. “The self-extracting archive has been around for a long time and eases file distribution among end users,” the Trustwave researchers said. “However, it poses a security risk since the file contents are not easily verifiable, and it can run commands and executables silently. The attack technique we detailed only requires one click, and no password input is required to compromise a target. As a result, threat actors can perform a multitude of attacks like cryptojacking, data theft, ransomware, etc.”Even if this technique is intended to hide the final payloads from email security gateways by hiding them in password-protected archives that these products cannot unpack, the presence of executable files – which SFX archive are – packaged inside .ZIP or .ISO files should still trigger alerts and cause users to think twice before clicking on them. Related content feature What are non-human identities and why do they matter? When digital systems need access and permissions they require credentials just like human beings. These non-human identities allow many components of complex systems to work together but present significant security issues. By Chris Hughes Jun 03, 2024 8 mins Access Control Identity and Access Management Network Security news Microsoft: The brand attackers love to imitate Cybercriminals often hide attack attempts behind well-known brand names with the intent to trick targeted users into making the fatal click. Microsoft is their favorite — by far. By Martin Bayer Jun 03, 2024 3 mins Phishing Email Security Cybercrime news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe