This variation on an old technique does not require the victim to provide a password to execute the malware. Credit: Thinkstock Distributing malware inside password-protected archives has long been one of the main techniques used by attackers to bypass email security filters. More recently, researchers have spotted a variation that uses nested self-extracting archives that no longer require victims to input the password.“This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password,” researchers from Trustwave SpiderLabs said in a new report.Self-extracting archives with batch scriptsIn recent spam campaigns observed by Trustwave attackers distributed ZIP or ISO archives disguised as invoices. Both file types can be opened natively on Windows without the use of additional applications. These archives served as a container for executable files with PDF or Excel icons. These files are actually RAR self-extracting (SFX) archives themselves, which, if executed, unpack several other files in a predefined directory: a .bat script, a decoy PDF file, and another .exe files that’s a secondary password-protected RAR self-extracting archive. One feature of SFX archives is that they support the execution of script commands. The primary archive is configured to execute the .bat script and to open the decoy PDF file. The .bat script will in turn execute the secondary SFX archive while also supplying the password for it without the user having to enter it. “In later samples, some of the RARsfx archives do not have a decoy file, and moreover, the destination path of the RARsfx components is changed to the %temp% folder,” the researchers said.The secondary SFX archive contains the malicious payload written in .NET and obfuscated with ConfuserEX, a free and open-source protector for .NET applications. Cryptocurrency miners and RATsTrustwave has detected two payloads being distributed through this technique so far: a cryptocurrency miner called CoinMiner and a remote access Trojan (RAT) called QuasarRat.In addition to cryptocurrency mining, CoinMiner can steal data from browsers and Microsoft Outlook profiles. It also collects information about the infected system using the Windows Management Instrumentation (WMI) interface and sends it to the command-and-control server. Finally, it drops a VBS script in the startup folder to ensure its persistence across system reboots.QuasarRat is an open-source Trojan program that’s been around since 2014 and has been used by many groups due to its public availability and versatility. “The self-extracting archive has been around for a long time and eases file distribution among end users,” the Trustwave researchers said. “However, it poses a security risk since the file contents are not easily verifiable, and it can run commands and executables silently. The attack technique we detailed only requires one click, and no password input is required to compromise a target. As a result, threat actors can perform a multitude of attacks like cryptojacking, data theft, ransomware, etc.”Even if this technique is intended to hide the final payloads from email security gateways by hiding them in password-protected archives that these products cannot unpack, the presence of executable files – which SFX archive are – packaged inside .ZIP or .ISO files should still trigger alerts and cause users to think twice before clicking on them. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe