Archiving tools like 7-Zip and WinRAR are great; they help compress old files and simplify sending data to others. It's hard to imagine a world without them because they are incredibly helpful and valuable. However, 7zip and WinRAR also serve as valuable assets to cybercriminals.
This article discusses how attackers have been weaponizing these popular and helpful tools.
Over the past few months, ThreatLocker® has noticed a trend of malicious actors moving away from custom ransomware encryption tools to abusing trusted tools like 7-Zip and WinRAR.
What is 7-zip and WinRAR?
7-zip and WinRAR are two of the most popular compression tools on the market. They handle better compression standards and have more options than other compression tools.
7-Zip and WinRAR have many similarities but quite a few differences in capabilities. Both applications, for example, can extract most compression types, but 7zip can compress into more types than WinRAR.
There are many good reasons to use 7-Zip and WinRAR. They can allow you to store more files on a machine and make moving files easier by compressing everything first.
How ransomware uses this against you
While 7-Zip and WinRAR are excellent, these applications also serve as incredible instruments for attackers. They come packaged with all the tools needed to cause mayhem on victims' machines while looking like an innocent user. Attackers will use these tools in two main ways.
Exfiltrating data
When a ransomware group wants to remove data from a system, it must upload the captured data to a secure location controlled by the attacker. The problem attackers face is that if the victim monitors network traffic, they will get caught trying to transfer a lot of data with a lot of bandwidth over a long time. To combat this, attackers will often exfiltrate data over weeks or months. During these periods, they will go unnoticed because the amount of data transmitted would be limited and blended with the rest of the traffic. Additionally, compressing data allows for either a shorter time to upload or easier uploading at a slower rate.
Encrypting data
Both 7-Zip and WinRAR have an expansive number of malicious opportunities. Two options allow attackers to set a password on the archive or delete files after archiving. These two weaponization strategies make both applications fully functional Ransomware Encryptors.
Why the Weaponization of 7-Zip and WinRAR are Hard to Stop
The worst part about these data exfiltration and encryption strategies is that defenders constantly struggle to protect their data. Attackers love applications like 7-Zip and WinRAR because they are already on a victim's machine. Another bonus for threat actors is that anti-virus software will not flag 7-Zip and WinRAR because they are known or approved tools in an environment.
This issue goes beyond 7-Zip and WinRAR; almost any application can be weaponized for detrimental cyberattacks. Tools like these have use cases that make it extremely difficult for anyone outside of the context of these actions to discern between actions used by an attacker and actions done by a valid user.
Understanding that it is not inherently malicious to password encrypt an archive is crucial. Legitimate reasons could include encrypting sensitive personal information like medical records or social security data. Similarly, files being deleted is not always a red flag, as data administrators may use it to archive old files for compliance and to free up storage space. These are the challenges that every security vendor must urgently address to detect and effectively prevent such attacks and breaches in real-time.
How do you stay safe?
7-Zip and WinRAR are not dangers happening in the distant future. These are actions that attackers are taking advantage of now.
So, how are you protecting yourself? While this question is difficult to answer, there are some things that you can do to protect yourself.
Know the software that you use.
An EDR will only tell you when someone is acting against you. An Anti-Virus will only protect you from known bad software. An allowlisting solution is the best way to protect yourself from most of these threats.
How ThreatLocker® Mitigates the Weaponization of 7-Zip and WinRAR
- Application Allowlisting: Allow only the applications you need to run and block all others by default. This also allows only certain users to use the approved software, preventing unauthorized tools from running on your system.
- Ringfencing™: Control what your allowed applications can do. For instance, you can prevent 7-Zip or WinRAR from accessing specific sensitive directories or from being able to execute other applications.
- ThreatLocker® Detect: This can be used to detect when high reading and writing are done with WinRAR and 7-Zip.
Book a demo to witness how ThreatLocker® can protect your organization from the weaponization of your applications.
