Archive Sidestepping: Self-Unlocking Password-Protected RAR
Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, Spiderlabs identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware.
Disguised as an invoice, the attachment in either ZIP or ISO format, contained a nested self-extracting (SFX) archive. The first archive is an SFX RAR (RARsfx) whose sole purpose is to execute a second RARsfx contained within itself. The second RARsfx is password-protected but despite that, no user input is necessary to extract and execute its content. In some samples, the nested SFX archive is encapsulated further in another archive.