4/21/2023 0 Comments Unlock rar password![]() ![]() The batch file is launched first followed by an image or PDF file. The script commands from the parent RARsfx silently extract these components to the %AppData% folder with existing files overwritten. RARsfx archive – password-protected container of the payloadįigure 2: The script commands and icon of the RARsfx contained in the attachment Payment.gz in Figure 1.Batch file – the launcher of the RARsfx component. ![]() The first in-archive SFX we collected makes use of either a PDF or Excel icon to appear legitimate, and has three components: Importantly, for this attack, SFX archives also provide the ability to run script commands. This archive format is convenient as the content of the archive can be unpacked without employing any archiving tools. Setting an archive as SFX makes the archive executable. Self-extracting archives are commonly used to distribute malware. This blog will present a campaign that attempts to override this ‘supply-a-password' hurdle. ![]() The user must be persuaded to open the archive using the password enclosed in the email. In some samples, the nested SFX archive is encapsulated further in another archive.įigure 1: Email sample unpacked with MailMarshalĪs mentioned in our previous blog, the main factor in the success of delivering threats via password-protected files like Emotet is the email recipient’s intuition. The second RARsfx is password-protected but despite that, no user input is necessary to extract and execute its content. The first archive is an SFX RAR (RARsfx) whose sole purpose is to execute a second RARsfx contained within itself. Disguised as an invoice, the attachment in either ZIP or ISO format, contained a nested self-extracting (SFX) archive. The SpiderLabs team noticed an interesting attachment in this spam campaign. This is significant because one of the most difficult obstacles threat actors face when conducting this type of spam campaign is to convince the target to open the archive using the provided password. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware. Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |