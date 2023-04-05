CrowdStrike security researchers have detected an attack that utilizes WinRAR self-extracting archives as a backdoor.

The self-extracting WinRAR archive is set to launch PowerShell .exe, cmd.exe, and Windows Task Manager after it completes the extraction process.

.exe, cmd.exe, and Windows Task Manager after it completes the extraction process. The specific self-extracting archive can be run by using the utilman.exe application without the need to log in to an account.

WinRAR has a handy feature that allows users to create RAR archives for systems that do not have WinRAR installed. The archive is compressed into a .exe file, which can run independently from WinRAR software to extract the files. Those archives are called “self-extracting WinRAR archives” or, shortly, SFX. Those archives can also be protected with a password.

Utilizing the utilman.exe application

According to CrowdStrike, hackers are now abusing this feature of WinRAR to plant backdoors on the target systems. CrowdStrike has detected an attack that used stolen credentials to utilize the utilman.exe file on Windows systems, which is an accessibility application that can be run before the login screen. This tool is often utilized by hackers.

The SFX file used by the hackers includes an empty text file, which does not involve the process at all. However, after extracting process completes, the SFX is set to run PowerShell.exe, cmd.exe, and Windows Task Manager. SFX archive also has a password; thus, a user without the archives password can’t see the results on the screen.

Using the utilman.exe application, hackers can run the specific self-extracting WinRAR archive to launch PowerShell, cmd.exe, and Task Manager without the need to log in to a user’s account.

This means having one of those SFX files in your hard drive, most likely in the Downloads folder, creates a huge security risk. CrowdStrike states that since the archive contains no virus and is password-protected, antivirus software will probably miss the threat.