Self-Extracting Archives (SFX)- A method of delivering malware

08.04.23

Threat Intelligence Alerts

Home News Self-Extracting Archives (SFX)- A method of delivering malware

What is a Self-Extracting Archive?

SFXs are a method of compressing files that, when opened, will extract the file’s contents automatically. They’re often used legitimately to compress and share large files with users who do not have software such as WinZIP/WinRAR, which can extract compressed files. SFXs are often delivered through social engineering and phishing techniques to trick a victim into opening the file.

Why are they a danger?

Recently CrowdStrike has observed SFXs being used to deliver and deploy malware on targets. If opened by a victim, the malware will be extracted and immediately executed, leaving victims and anti-virus systems with little time to respond. CrowdStrike reported a case study where a threat actor utilised an SFX to abuse various Windows applications to create a backdoor on the victim’s machine. The severity of these attacks will depend on the sophistication of the malware or the aim of the code within; however, it could result in data breaches, system compromise, financial loss and reputational damage.

How can you prevent this type of attack?

Conduct regular phishing training for all employees in your business. For more information on how the Cyber and Fraud Centre can help, read here.
Implement spam blocks, attachment scanning and download policies on your business email clients.
Prepare an incident response plan in the case of an attack.