- Password protected rar extractor pdf#
- Password protected rar extractor archive#
- Password protected rar extractor iso#
All the executables in this campaign are. The executable is extracted and executed from the %AppData% folder. The password-protected RARsfx contains one file, an executable payload. In later samples, some of the RARsfx archives do not have a decoy file, and moreover, the destination path of the RARsfx components is changed to the %temp% folder.įigure 6: The email sample containing a RARsfx with no decoy component The Payload
Password protected rar extractor pdf#
Along with this process, a command prompt is invoked, and the decoy image or PDF attempts to hide this from view.įigure 4: The command prompt invoked by the batch file from the RARsfx in Figure 1įigure 5: Malicious RARsfx in action with image decoy
Password protected rar extractor archive#
The batch script specifies the password of the archive and destination folder where the payload will be extracted. The execution of the batch file leads to the installation of the malware lurking within the password-protected RARsfx.
The batch file is launched first followed by an image or PDF file. The script commands from the parent RARsfx silently extract these components to the %AppData% folder with existing files overwritten. RARsfx archive – password-protected container of the payloadįigure 2: The script commands and icon of the RARsfx contained in the attachment Payment.gz in Figure 1.Batch file – the launcher of the RARsfx component.The first in-archive SFX we collected makes use of either a PDF or Excel icon to appear legitimate, and has three components: Importantly, for this attack, SFX archives also provide the ability to run script commands. This archive format is convenient as the content of the archive can be unpacked without employing any archiving tools. Setting an archive as SFX makes the archive executable. Self-extracting archives are commonly used to distribute malware. This blog will present a campaign that attempts to override this ‘supply-a-password' hurdle. The user must be persuaded to open the archive using the password enclosed in the email. In some samples, the nested SFX archive is encapsulated further in another archive.įigure 1: Email sample unpacked with MailMarshalĪs mentioned in our previous blog, the main factor in the success of delivering threats via password-protected files like Emotet is the email recipient’s intuition. The second RARsfx is password-protected but despite that, no user input is necessary to extract and execute its content. The first archive is an SFX RAR (RARsfx) whose sole purpose is to execute a second RARsfx contained within itself.
Password protected rar extractor iso#
Disguised as an invoice, the attachment in either ZIP or ISO format, contained a nested self-extracting (SFX) archive. The SpiderLabs team noticed an interesting attachment in this spam campaign. This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password.
In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware. Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet.
0 kommentar(er)
