Fixxx
Moder
- Joined
- 20.08.24
- Messages
- 279
- Reaction score
- 544
- Points
- 93
Hackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without security solutions detecting them. The technique exploits the different methods ZIP parsers and archive managers handle concatenated ZIP files. This new trend was spotted by Perception Point, who discovered a concatentated ZIP archive hiding a trojan while analyzing a phishing attack that lured users with a fake shipping notice. The researchers found that the attachment was disguised as a RAR archive and the malware leveraged the AutoIt scripting language to automate malicious tasks.
The first stage of the attack is the preparation, where the threat actors create two or more separate ZIP archives and hide the malicious payload in one of them, leaving the rest with innocuous content. Next, the separate files are concatenated into one by appending the binary data of one file to the other, merging their contents into one combined ZIP archive. Although the final result appears as one file, it contains multiple ZIP structures, each with its own central directory and end markers.
The next phase of the attack relies on how ZIP parsers handle concatenated archives. Perception Point tested 7zip, WinRAR and Windows File Explorer to different results:
To defend against concatenated ZIP files, Perception Point suggests that users use security solutions that support recursive unpacking. Generally, emails attaching ZIPs or other archive file types should be treated with suspicion and filters should be implemented in critical environments to block the related file extensions.
*Phishing email hiding a trojan in a concatenated ZIP file.
Hiding Malware in “broken” ZIPs
The first stage of the attack is the preparation, where the threat actors create two or more separate ZIP archives and hide the malicious payload in one of them, leaving the rest with innocuous content. Next, the separate files are concatenated into one by appending the binary data of one file to the other, merging their contents into one combined ZIP archive. Although the final result appears as one file, it contains multiple ZIP structures, each with its own central directory and end markers.
*Internal structure of ZIP files.
Exploiting ZIP App Flaws
The next phase of the attack relies on how ZIP parsers handle concatenated archives. Perception Point tested 7zip, WinRAR and Windows File Explorer to different results:
- 7zip only reads the first ZIP archive (which could be benign) and may generate a warning about additional data, which users may miss
- WinRAR reads and displays both ZIP structures, revealing all files, including the hidden malicious payload.
- Windows File Explorer may fail to open the concatenated file or, if renamed with a .RAR extension, might display only the second ZIP archive.
*7zip (top) and Windows File Explorer (bottom) opening the same file.
To defend against concatenated ZIP files, Perception Point suggests that users use security solutions that support recursive unpacking. Generally, emails attaching ZIPs or other archive file types should be treated with suspicion and filters should be implemented in critical environments to block the related file extensions.