Protect Against Masked Trojan Executables That Use 7-Zip

Trojan Attacks

Social engineering is a popular vector for attackers to gain initial access to a company’s network. Attackers use many methods to convince users to follow a set of instructions that will compromise and give access to a user’s workstation. This post details how a 7-Zip module can be used in social engineering to conceal malware known as a Trojan in order to gain access to a remote system.

7-Zip Self-Extractor Module

A 7-Zip self-extractor module (7zSD) creates an executable that will extract the 7-Zip file without having 7-Zip installed. 7zSD also includes features to provide the user with prompts and to automatically launch a program contained in the 7-Zip archive using a hidden console. Attackers can use this as part of a social engineering campaign with the goal of convincing users that the executable is a legitimate, company-sponsored program.

Masking the Trojan

When attackers attempt to access a company’s network using a 7zSD, 7-Zip does not have to be installed on the remote system. However, attackers must perform the following steps prior to delivering the payload.

1. Create a .7z archive containing the exploit EXE.
2. Download the latest stable version of the 7zSD module.
3. Use 7-Zip to extract the 7zSD module.
4. Create the configuration file to customize the self-extraction EXE:
• Open Notepad and add the following configuration file:

1. ;[email protected]@!UTF-8!
   
       Title="WINDOW_TITLE"
   
       BeginPrompt="INITIAL_MESSAGE"
   
       RunProgram="nowait:hidcon:fm5:EXPLOIT_EXE"
   
       InstallPath="EXTRACT_FOLDER"
   
       OverwriteMode="0"
   
       ExtractTitle="EXTRACT_MESSAGE"
   
       GUIMode="1"
   
       GUIFlags="2048"
   
       SelfDelete="0"
   
       FinishMessage="FINAL_MESSAGE"
   
       ;[email protected]@!

    
• The variables from the configuration file are explained below. The text in all caps in the configuration file must be replaced with the relevant information.
• Title –The title of the window that is presented to the user.
• BeginPrompt – The initial prompt presented to the user. (To create a new line, the escape sequence “\n” can be used.)
• RunProgram – Details about the executable including:
• nowait = This indicates the self-extractor will do all steps without pausing.
• hidcon = This will run the specified program in a hidden console window.
• fm5 = This specifies what message will be displayed for five seconds before automatically closing.
• EXPLOIT_EXE = This is the file name of the EXE stored in the .7z archive created in step one and should include “.exe”.
• InstallPath –The path to the folder that the EXE will be extracted to. This folder will be created if it does not exist. Environment variables can be used to dynamically specify the destination folder. All backslashes must be escaped (i.e. “C:\Temp” should be “C:\\Temp”).
• OverwriteMode – A setting that defines whether existing files should be overwritten with the extracted files. 
• ExtractTitle – The message that will appear in the progress window as the EXE is being extracted.
• GUIMode – A setting to determine the type of display and options that will be given to the user during extraction. This will hide the "Cancel" button and disable the "Close" button (in the window title bar) and the “Esc” key on the keyboard if enabled.
• GUIFlags – Display the 7-Zip Self-Extraction (7zSFX) icon in the “BeginPrompt” dialog window instead of the "question mark" system icon. The flag is ignored if the “BeginPrompt” parameter is not present in the configuration file.
• SelfDelete – Do not automatically delete the 7zSFX EXE after the extraction. Note that “1” is the only accepted value for this variable. All others are ignored.
• FinishMessage – The message that is displayed to the user to indicate that the extraction process is complete.
• Save the file as “config.txt” and close Notepad. 
5. Create the 7zSFX EXE:

   COPY /b SFX_FILE +  config.txt + 7z_ARCHIVE EXE_NAME 

• SFX_FILE = Path to the .SFX file downloaded in step three.
• 7z_ARCHIVE = Path to the .7z archive created in step one.
• EXE_NAME = The name of the 7zSFX EXE that the user will run to extract the exploit EXE.

Modifying the Icon

The icon that is used in the self-extraction EXE is the 7zSFX icon. To make the self-extraction EXE more convincing, this icon can be replaced with a company logo by using Resource Hacker™ freeware. This tool allows you to modify embedded icons in an EXE. Generally, it is easy to find a favicon on a company’s website by looking at the site’s CSS file. The favicon can be used to replace the traditional 7zSFX icon.

Prevention

Various methods may be used to mitigate the attack described in this post. Multiple methods should be put into place to eliminate a single failure point and to create a layered security approach. In addition to anti-virus software and email content filtering, the following are only a few of the methods that can be used to prevent the attack of a masked Trojan executable using 7-Zip:

Application Whitelisting
Typically, employees have a set of applications that they use to perform their job. Because they only require access to a limited number of applications, tools like AppLocker^® security software could be used to create an application whitelist. AppLocker software has been built into Microsoft^® operating systems since the release of the Windows^® 7 operating system and the Windows Server^® 2008 R2 server operating system. It is configurable via Group Policy and provides system administrators with a method of specifying trusted applications to the system, either by user or group. Any application that is not specifically allowed in the AppLocker software is considered untrusted and therefore blocked from executing.

EMET
The Enhanced Mitigation Experience Toolkit (EMET) is a utility provided by Microsoft that helps prevent software exploitation. Across all processes executing on a system, EMET can monitor for programs attempting to execute code in a portion of memory reserved for data (which should only be considered readable and writable), validate exception handlers to ensure the pointer has not been overwritten, and protect dynamic link libraries (DLL) from being placed in predictable memory locations.

Limiting Outbound Ports and Traffic Inspection
Only necessary traffic should be allowed from the internal network to the Internet. Ports that are allowed should flow through a proxy so the traffic may be monitored, and all other ports should be blocked. This limits attackers from creating direct connections between the compromised system and themselves, thus giving an organization an opportunity to detect the malicious activity. Secured connections can be monitored as well after SSL stripping has been performed.

Protect Your Network

Attackers use several methods to mark the Trojans and executables they attempt to get onto networks via social engineering that targets employees. For attackers, packing an executable in a self-extracting 7-Zip file is a process that is both effective and easy. Organizations need to consider all of the potential preventive measures to take to defend against these types of attacks.

Microsoft, AppLocker, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.