How Stealthy Was the 7zip Malware and How to Spot It?
Why It Matters
The disguised 7‑Zip installer demonstrates how low‑profile malware can bypass traditional defenses, making vigilant source verification and firewall rule audits essential for protecting enterprise networks.
Key Takeaways
- •Trojanized 7‑Zip installer adds hidden outbound firewall rule
- •Malware uses built‑in Windows tools, leaving minimal system footprints
- •Unrecognized firewall rules can reveal stealthy malware activity
- •C2 domain heroSMS.co primarily targets managed service providers
- •Sandbox analysis and DNS checks help detect disguised installers
Summary
The video dives into the Trojan‑laden 7‑Zip installer that was being served from the look‑alike domain 7zip.com, showing how the malicious package mimics the legitimate 7‑Zip setup while silently dropping a back‑door.
In the Any.run sandbox the analyst observed that the installer runs normally, then drops “uphero.exe”, which immediately creates an outbound Windows firewall rule via netsh to allow traffic to the command‑and‑control server. Network traces reveal only DNS queries to heroSMS.co, and the malware relies on native Windows utilities (cmd.exe, netsh) to avoid detection, resulting in almost no anomalous process activity.
The presenter highlights a screenshot of the firewall rule (“uphero” outbound allow) and notes that the C2 domain is predominantly seen in reports from MSSPs in the US, Japan and Germany. He also warns that AI tools like ChatGPT can inadvertently recommend the compromised installer, and that encrypted HTTPS/DNS‑over‑HTTPS further obscures malicious traffic.
For enterprises and end‑users the takeaway is clear: always verify download sources, routinely audit outbound firewall rules for unknown entries, and employ sandbox services such as Any.run to vet executables before deployment. Proactive monitoring can prevent stealthy proxyware from persisting in corporate environments.
Comments
Want to join the conversation?
Loading comments...