Social engineering is a popular vector for attackers to gain initial access to a company’s network. Attackers use many methods to convince users to follow a set of instructions that will compromise and give access to a user’s workstation. This post details how a 7-Zip module can be used in social engineering to conceal malware known as a Trojan in order to gain access to a remote system.
A 7-Zip self-extractor module (7zSD) creates an executable that will extract the 7-Zip file without having 7-Zip installed. 7zSD also includes features to provide the user with prompts and to automatically launch a program contained in the 7-Zip archive using a hidden console. Attackers can use this as part of a social engineering campaign with the goal of convincing users that the executable is a legitimate, company-sponsored program.
When attackers attempt to access a company’s network using a 7zSD, 7-Zip does not have to be installed on the remote system. However, attackers must perform the following steps prior to delivering the payload.
COPY /b SFX_FILE + config.txt + 7z_ARCHIVE EXE_NAME
The icon that is used in the self-extraction EXE is the 7zSFX icon. To make the self-extraction EXE more convincing, this icon can be replaced with a company logo by using Resource Hacker™ freeware. This tool allows you to modify embedded icons in an EXE. Generally, it is easy to find a favicon on a company’s website by looking at the site’s CSS file. The favicon can be used to replace the traditional 7zSFX icon.
Various methods may be used to mitigate the attack described in this post. Multiple methods should be put into place to eliminate a single failure point and to create a layered security approach. In addition to anti-virus software and email content filtering, the following are only a few of the methods that can be used to prevent the attack of a masked Trojan executable using 7-Zip:
Typically, employees have a set of applications that they use to perform their job. Because they only require access to a limited number of applications, tools like AppLocker® security software could be used to create an application whitelist. AppLocker software has been built into Microsoft® operating systems since the release of the Windows® 7 operating system and the Windows Server® 2008 R2 server operating system. It is configurable via Group Policy and provides system administrators with a method of specifying trusted applications to the system, either by user or group. Any application that is not specifically allowed in the AppLocker software is considered untrusted and therefore blocked from executing.
The Enhanced Mitigation Experience Toolkit (EMET) is a utility provided by Microsoft that helps prevent software exploitation. Across all processes executing on a system, EMET can monitor for programs attempting to execute code in a portion of memory reserved for data (which should only be considered readable and writable), validate exception handlers to ensure the pointer has not been overwritten, and protect dynamic link libraries (DLL) from being placed in predictable memory locations.
Limiting Outbound Ports and Traffic Inspection
Only necessary traffic should be allowed from the internal network to the Internet. Ports that are allowed should flow through a proxy so the traffic may be monitored, and all other ports should be blocked. This limits attackers from creating direct connections between the compromised system and themselves, thus giving an organization an opportunity to detect the malicious activity. Secured connections can be monitored as well after SSL stripping has been performed.
Attackers use several methods to mark the Trojans and executables they attempt to get onto networks via social engineering that targets employees. For attackers, packing an executable in a self-extracting 7-Zip file is a process that is both effective and easy. Organizations need to consider all of the potential preventive measures to take to defend against these types of attacks.
Microsoft, AppLocker, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.