Self-Unlocking Password-Protected RAR

Archive Sidestepping: Self-Unlocking Password-Protected RAR

Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, Spiderlabs identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.

Disguised as an invoice, the attachment in either ZIP or ISO format, contained a nested self-extracting (SFX) archive. The first archive is an SFX RAR (RARsfx) whose sole purpose is to execute a second RARsfx contained within itself. The second RARsfx is password-protected but despite that, no user input is necessary to extract and execute its content. In some samples, the nested SFX archive is encapsulated further in another archive.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/archive-sidestepping-self-unlocking-password-protected-rar/

Self-Unlocking Password-Protected RAR
Scroll to top
× How can I help you? Available from 08:00 to 22:00