Hello and welcome to the Friday, April 7, 2020, 3 edition of the Santernat Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Still catching up a little bit here, and one issue that I haven't mentioned yet is the use of self-extracting files or

SFX files that was reported by CrowdStrike in a blog post.

You've probably all used self-extracting files in some form.

They are executables and that's sort of where it gets tricky with data and then when you run the executable,

the data is being extracted.

Now, a couple of things that CrowdStrike found.

First of all, where these SFX files are being then associated with Utelman.

Now, or Utilman, not sure how to pronounce it correctly. This is the tool that

sort of provides some input aids on the login screen. If you ever reset sort of a Windows password,

you may have done that by swapping this out for like command.exe in order to sort of bypass the login

prompt. And the reason that's sort of bypass the login prompt.

And the reason that's sort of an interesting program is that it can be run before the user logs in.

Now, one interesting feature of these SFX archives are being used here, and that's well the ability to run commands. Unsuccessful extraction, any command can be run.

That's of an option that can be specified. The trick here is that in doing so, the actual SFX file does not contain any malware. It just contains a little command at the end that will then, for example, download malware

or a run additional malware on the system.

So the SFX file, AskRout strike points out, was actually empty in this case.

So SFX files is certainly a file type that you should have on your radar.

It is legitimately used.

It's not quite as commonly used as, for example, SIP files and such,

but shares many of the same properties.

...