WinRAR self-extracting (SFX) archives include malicious functionality added by threat actors to covertly install persistent backdoors in target computers. These SFX files include bogus files that can start PowerShell, the command prompt, and the task manager with administrative rights. Researchers from CrowdStrike claim that threat actors start by uploading a password-protected SFX file made with WinRAR or 7-Zip to the targeted system.
They utilise stolen credentials to log into a system and seek to take advantage of Utility Manager, a legal Windows accessibility programme. (utilman[.]exe). The application is then configured to link a debugger (another executable) to a particular programme in the Windows Registry. Every time the programme is launched, the debugger will launch automatically.