Hackers Make use of ZIP File Concatenation Tactic to Assault Home windows Customers

Cybercriminals are using a classy evasion technique known as ZIP file concatenation to particularly goal Home windows customers. This technique combines a number of ZIP information right into a single archive, making it tougher for safety software program to detect malicious content material.

Because of this, unsuspecting customers could inadvertently obtain dangerous information whereas believing they’re accessing secure, compressed knowledge.

This tactic permits attackers to bypass conventional safety measures and ship malware undetected, posing vital dangers to people and organizations alike.

By exploiting how completely different ZIP readers course of concatenated information, menace actors can embed malicious payloads in archives that evade detection by many normal safety instruments.

ZIP File Concatenation Approach

ZIP file concatenation includes appending a number of ZIP archives right into a single file. Whereas this mixed file seems as one archive, it really accommodates a number of central directories, every pointing to completely different units of information.

In line with Notion Level, the important thing to this method lies in how numerous ZIP readers interpret the concatenated construction. Some readers could solely show the contents of 1 archive whereas ignoring the others, permitting hidden malicious information to go unnoticed.

For instance, if two ZIP information are concatenated—one containing benign content material and the opposite harboring malware—sure instruments will solely present the innocent information. This discrepancy in dealing with permits attackers to cover their payloads from detection tools that depend on particular ZIP readers.

Widespread ZIP readers like 7zip, WinRAR, and Home windows File Explorer deal with concatenated ZIP information in another way:

• 7zip: When opening a concatenated ZIP file with 7zip, solely the contents of the primary archive are displayed. Whereas 7zip could challenge a warning about further knowledge after the tip of the archive, that is usually ignored by customers.
• WinRAR: Not like 7zip, WinRAR reads the second central listing and divulges all contents, together with any hidden malicious information. This makes it simpler at detecting threats embedded inside concatenated archives.
• Home windows File Explorer: Home windows’ built-in archive handler struggles with concatenated ZIPs. In some instances, it might fail to open the file altogether or solely show a part of the archive’s content material. This inconsistency makes it unreliable for detecting hidden threats.

A latest assault highlights how menace actors leverage this method to ship malware. On this case, a phishing electronic mail disguised as a delivery notification was despatched to victims, reads the report.

The e-mail contained an attachment named “SHIPPING_INV_PL_BL_pdf.rar,” which gave the impression to be a RAR file however was really a concatenated ZIP archive.

When opened with 7zip, the file revealed solely a benign-looking PDF doc. Nevertheless, when opened with WinRAR or Home windows File Explorer, the hidden malicious executable “SHIPPING_INV_PL_BL_pdf.exe” was uncovered.

This executable was recognized as a variant of Trojan malware designed to automate malicious duties similar to downloading further payloads or executing ransomware.

The success of this evasion approach lies in its means to take advantage of variations in how numerous instruments course of ZIP information. Many safety options depend on widespread ZIP handlers like 7zip or native OS tools to scan archives for malicious content material.

Since these instruments could not absolutely parse concatenated archives, they’ll miss hidden threats completely.

Hackers are more and more utilizing this technique as a result of it permits them to focus on particular customers who depend on sure instruments whereas evading detection by others. As an illustration, Home windows customers who depend upon built-in instruments or 7zip could also be at greater threat of falling sufferer to such assaults

Try Malware and Phishing Analysis in ANY.RUN’s Linux Sandbox for Free