www.trustwave.com
Open in
urlscan Pro
52.151.96.240
Public Scan
URL:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/archive-sidestepping-self-unlocking-password-protected-rar/
Submission: On October 24 via api from IN — Scanned from GB
Submission: On October 24 via api from IN — Scanned from GB
Form analysis 5 forms found in the DOM
<form data-hs-cf-bound="true"><span class="fieldset">
<p><input type="checkbox" value="check" id="chkMain" checked="" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
</span></form>GET /en-us/search/
<form oninput="autoSuggest(q.value)" method="get" target="_self" action="/en-us/search/" _lpchecked="1" data-hs-cf-bound="true">
<div class=" site-header-search-mobile" id="search-box">
<i class="fe fe-search text-darkest"></i>
<input id="search" value="" type="text" class="form-control" name="q" placeholder="Search trustwave.com" autocomplete="off">
<div id="search-bar">
<ul class="ul-list list-unstyled result-list" id="suggestresults"></ul>
</div>
</div>
</form>GET /en-us/search/
<form method="get" target="_self" action="/en-us/search/" data-hs-cf-bound="true">
<div class="site-header-search-main">
<i class="fe fe-search text-darkest"></i>
<input type="text" class="form-control form-control-lg" id="q" name="q" placeholder="Search trustwave.com">
</div>
</form>GET https://www2.trustwave.com/Subscription-Center-Subscribe.html
<form method="get" target="_blank" action="https://www2.trustwave.com/Subscription-Center-Subscribe.html" data-hs-cf-bound="true">
<div class="row g-7">
<div class="col-md-6 col-lg-7">
<input type="text" class="form-control" name="Email" placeholder="Email Address">
</div>
<div class="col-md-6 col-lg-5">
<button class="btn btn-primary w-100" type="submit">Subscribe</button>
</div>
</div>
</form><form data-hs-cf-bound="true"></form>Text Content
Cookie Notice
We use cookies to provide you a relevant user experience, analyze our traffic,
and provide social media features. Privacy Policy
Close
GOT IT
* Your Privacy
* Strictly Necessary Cookies
* Performance Cookies
* Functional Cookies
* Targeting Cookies
* Privacy Policy
Privacy Preference Centre
Active
Always Active
Save Settings
Allow All
Trustwave Action Response: Zero Day Vulnerabilities in Microsoft Exchange Server
2013, 2016, and 2019 Learn More
* Contact Us
* Login
Login
Fusion Platform Login
What is the Trustwave Fusion Platform?
* MailMarshal SEG Login
* Legacy TrustKeeper Login
* Incident Response
Incident Response
EXPERIENCING A SECURITY BREACH?
Get access to immediate incident response assistance.
24 HOUR HOTLINES
* AMERICAS
+1 855 438 4305
* EMEA
+44 8081687370
* AUSTRALIA
+61 1300901211
* SINGAPORE
+65 68175019
Recommended Actions
*
* Services
Services
*
Managed Detection & Response Eradicate cyberthreats with world-class intel
and expertise
*
Managed Security Services Expand your team’s capabilities and strengthen
your security posture
*
Consulting & Professional Services Tap into our global team of tenured
cybersecurity specialists
*
Penetration Testing Subscription- or project-based testing, delivered by
global experts
*
Database Security Get ahead of database risk, protect data and exceed
compliance requirements
*
Email Security & Management Catch email threats others miss with layered
security & maximum control
*
Co-Managed SOC (SIEM) Eliminate alert fatigue, focus your SecOps team,
stop threats fast, and reduce cyber risk
View All Trustwave Services
* Solutions
Solutions
BY INDUSTRY
* Education
* Financial Services
* Government
* Healthcare
* Hotels
* Legal
* Manufacturing
* Retail
BY REGULATION
* Data Privacy
* CMMC
* FISMA
* GDPR
* GLBA
* HIPAA
* ISO
* SOX
BY TOPIC
* Microsoft Exchange Server Attacks Stay protected against emerging threats
* Rapidly Secure New Environments Security for rapid response situations
* Securing the Cloud Safely navigate and stay protected
* Securing the IoT Landscape Test, monitor and secure network objects
* Why Trustwave
Why Trustwave
* The Trustwave Approach A focus on threat detection and response
* Awards and Accolades Recognition by analysts and media outlets
* Trustwave SpiderLabs Team Researchers, ethical hackers and responders
* Trustwave Fusion Platform Unprecedented security visibility and control
* SpiderLabs Fusion Center Our cybersecurity command center
* Security Operations Centers Distributed worldwide defense nodes
* Partners
Partners
* Technology Alliance Partners Key alliances who align and support our
ecosystem of security offerings
* Trustwave PartnerOne Program Join forces with Trustwave to protect against
the most advance cybersecurity threats
* Register
Login
* Resources
Resources
BLOGS
* Trustwave Blog
* SpiderLabs Blog
UPCOMING
* Webinars
* Events
MEDIA & ASSETS
* Document Library
* Video Library
* Analyst Reports
* Webinar Replays
* Case Studies
* Trials & Evaluations
NOTICES
* Security Advisories
* Software Updates
HELP
* Contact
* Support
*
* Request a Demo
Loading...
BLOGS & STORIES
SPIDERLABS BLOG
Attracting more than a half-million annual readers, this is the security
community's go-to destination for technical breakdowns of the latest threats,
critical vulnerability disclosures and cutting-edge research.
ARCHIVE SIDESTEPPING: EMOTET BOTNET PUSHING SELF-UNLOCKING PASSWORD-PROTECTED
RAR
access_timeOctober 20, 2022
person_outlineBernard Bautista, Diana Lopera
share
*
*
*
Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged
in password-protected archives with about 96% of these being spammed by the
Emotet Botnet. In the first half of 2022, we identified password-protected ZIP
files as the third most popular archive format used by cybercriminals to conceal
malware. This is significant because one of the most difficult obstacles threat
actors face when conducting this type of spam campaign is to convince the target
to open the archive using the provided password.
The SpiderLabs team noticed an interesting attachment in this spam campaign.
Disguised as an invoice, the attachment in either ZIP or ISO format, contained a
nested self-extracting (SFX) archive. The first archive is an SFX RAR (RARsfx)
whose sole purpose is to execute a second RARsfx contained within itself. The
second RARsfx is password-protected but despite that, no user input is necessary
to extract and execute its content. In some samples, the nested SFX archive is
encapsulated further in another archive.
Figure 1: Email sample unpacked with MailMarshal
As mentioned in our previous blog, the main factor in the success of delivering
threats via password-protected files like Emotet is the email recipient’s
intuition. The user must be persuaded to open the archive using the password
enclosed in the email. This blog will present a campaign that attempts to
override this ‘supply-a-password' hurdle.
THE NESTED SELF-EXTRACTING RAR
Self-extracting archives are commonly used to distribute malware. Setting an
archive as SFX makes the archive executable. This archive format is convenient
as the content of the archive can be unpacked without employing any archiving
tools. Importantly, for this attack, SFX archives also provide the ability to
run script commands.
The first in-archive SFX we collected makes use of either a PDF or Excel icon to
appear legitimate, and has three components:
1. Batch file – the launcher of the RARsfx component
2. RARsfx archive – password-protected container of the payload
3. Images or PDF file – decoy file
Figure 2: The script commands and icon of the RARsfx contained in the attachment
Payment.gz in Figure 1
The script commands from the parent RARsfx silently extract these components to
the %AppData% folder with existing files overwritten. Then two components are
run. The batch file is launched first followed by an image or PDF file.
Figure 3: The process flow
The execution of the batch file leads to the installation of the malware lurking
within the password-protected RARsfx. The batch script specifies the password of
the archive and destination folder where the payload will be extracted. Along
with this process, a command prompt is invoked, and the decoy image or PDF
attempts to hide this from view.
Figure 4: The command prompt invoked by the batch file from the RARsfx in Figure
1
Figure 5: Malicious RARsfx in action with image decoy
In later samples, some of the RARsfx archives do not have a decoy file, and
moreover, the destination path of the RARsfx components is changed to the %temp%
folder.
Figure 6: The email sample containing a RARsfx with no decoy component
THE PAYLOAD
The password-protected RARsfx contains one file, an executable payload. The
executable is extracted and executed from the %AppData% folder. All the
executables in this campaign are .NET compiled and obfuscated with ConfuserEX, a
free and open-source protector for .NET applications.
The payloads we observed from this campaign are CoinMiner and QuasarRat.
Figure 7: The CoinMiner payload from the spam in Figure 1 as viewed in Detect It
Easy tool which shows protection with ConfuserEX
CoinMiner is a threat that mines cryptocurrency by using resources of the
infected system. This malware can also exhibit credential stealer behavior since
it can read user data in web browsers and access Microsoft Outlook profiles.
Such versatility is achieved through its modular design, and it is up to the
command-and-control server or operator to specify what job to do next.
In the samples we analyzed, once the CoinMiner is executed, a copy of itself is
created in the %AppData% folder and a VBS script is dropped at the startup
location as a persistence mechanism. CoinMiner used Windows Management
Instrumentation (WMI) to gather information from the system such as hardware
information and antivirus software installed. Such a technique is often used to
avoid sandboxing and to hinder analysis. It utilized free dynamic DNS domains
for accessing its C2 server.
Another payload we came across is the infamous Quasar RAT, which is an
open-source remote access trojan (RAT) which is publicly available on GitHub.
Quasar RAT is widely used in campaigns conducted by threat actors and is a tool
of choice due to its powerful capabilities. The Cybersecurity and Infrastructure
Security Agency (CISA) provided a technical analysis of Quasar
https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A.
The Quasar sample we had used the threat actor’s domain and free dynamic DNS
domain for accessing its C2 server. Its mutex follows the default Quasar
pattern, “QSR_MUTEX_[0-9A-Za-z]{18}”.
CONCLUSION
The self-extracting archive has been around for a long time and eases file
distribution among end users. However, it poses a security risk since the file
contents are not easily verifiable, and it can run commands and executables
silently. The attack technique we detailed only requires one click, and no
password input is required to compromise a target. As a result, threat actors
can perform a multitude of attacks like crypto jacking, data theft, ransomware,
etc.
IOCS
Files in initial archive
archive Payment.gz (914609 bytes):
FF86161334B70BCC2A5D638AD2AB2BF3980DC457 (SHA1)
Confirmacion Mensaje.zip (878036 bytes):
DB7A08AB199F7F341F90D05A6B09846C6D43F8CB (SHA1)
Confirmacion Mensaje.img (1572864 bytes):
4C0F487D60FC4F1ADB29128EC9FD044C10E8653F (SHA1)
Muestras_772022.img (2228224 bytes):
9A5021D6679E2E8ECF900D6B5FF2CDA9715E83DB (SHA1)
07122022.IMG (1966080 bytes):
0B9381FFC9AE3A7749484D0AD788E91452DAE86B (SHA1)
Files in RARsfx
Balance_Payment.exe (1034902 bytes):
541BF4E5FA5FBEC25374BEF131C59070DA9D3C4A (SHA1)
Confirmacion Mensaje Swift Operado.exe (995833 bytes):
B4E93ED6ED7038CDD70F4791B73EED849F49275B (SHA1)
Muestras.exe (1664430 bytes):
C29C5382074F64176FE3904D24492A4DAC45C123 (SHA1)
pago12072022.exe (1401744 bytes):
925E4A825C139DF9535A4D4649A4CF64656E3194 (SHA1)
Batch Files
jhyuonsdjhj.bat (114 bytes):
48741C6E3E736FD5083F0DEF8E3741CE4E60B944 (SHA1)
uvjjjukvijhyujhj.bat (119 bytes):
88444E90913017BA77CC06FECCA3E659840633C6 (SHA1)
tomjkoohmggg.bat (152 bytes):
CF00D27AF07A40613A7932CD3090D89A8C6B0569 (SHA1)
cjgxhgikjkgbg.bat (178 bytes):
206ED91982F2011EC20B76CB07AA7BD48E6F81CC (SHA1)
Decoy Files
556yu67.PNG (9511 bytes):
E638A4040AE2553410CE77A88968CD7321F55063 (SHA1)
888yu67.PNG (9511 bytes):
E638A4040AE2553410CE77A88968CD7321F55063 (SHA1)
samples.jpeg (96532 bytes):
D9A78F491AF45BB3DC02E764217D89DD95F4F17C (SHA1)
Files in password-protected RARsfx
yrqs.sfx.exe (1034798 bytes):
A602E13CCE53CE9D589D9C6386058204BD3CE978 (SHA1)
dtccnppbk.sfx.exe (995790 bytes):
CC63815B9B77FCDD7E3EFAAB3664CA5DB15328AA (SHA1)
server1.sfx.exe (1207134 bytes):
5F0C88D8BE30996E3D623E54F49A9E00ADEF3A2E (SHA1)
server1.sfx.exe (1201086 bytes):
325E84243E2E901C3CAAEAC533D8931E5C15F043 (SHA1)
Payload Files
yrqs.exe (614912 bytes):
F625A44582E4C790F3A90E5A7B896AA660166A60 (SHA1)
dtccnppbk.exe (591872 bytes):
1118A8A12CD2D59A32A8B6DCFFF279F20351FB9B (SHA1)
server1.exe (929792 bytes):
78F4166B7611428E076ADCDCCDA34F73DC95CE37 (SHA1)
server1.exe (955904 bytes):
0A36CAD9F18249D42E05685B00330583C20D0BC3 (SHA1)
RELATED SPIDERLABS BLOGS
MODSECURITY REQUEST BODY PARSING: RECENT BYPASS ISSUES
SpiderLabs Blog
HTML FILE ATTACHMENTS: STILL A THREAT
SpiderLabs Blog
POST-EXPLOITATION PERSISTENT EMAIL FORWARDER IN OUTLOOK DESKTOP
SpiderLabs Blog
STAY INFORMED
Sign up to receive the latest security news and trends from Trustwave.
Subscribe
English German (Deutsche) Japanese (日本語)
* Leadership Team
* Our History
* News Releases
* Media Coverage
* Careers
* Global Locations
* Awards & Accolades
* Trials & Evaluations
* Contact
* Support
* Security Advisories
* Software Updates
* Legal
* Terms of Use
* Privacy Policy
* Copyright © 2022 Trustwave Holdings, Inc. All rights reserved.
Loading
HELP US STOP THE ROBOT UPRISING
This is a bot-free zone. Please check the box to let us know you're human.
THANK YOU
Download Now
--------------------------------------------------------------------------------
Read complimentary reports and insightful stories in the
Trustwave Resource Center
THANK YOU
One of our sales specialists will be in touch shortly.
--------------------------------------------------------------------------------
Read complimentary reports and insightful stories in the
Trustwave Resource Center