Hackers are focusing on Home windows machines utilizing the ZIP file concatenation approach to ship malicious payloads in compressed archives with out safety options detecting them.
The approach exploits the totally different strategies ZIP parsers and archive managers deal with concatenated ZIP information.
This new pattern was noticed by Notion Level, who found a a concatentated ZIP archive hiding a trojan whereas analyzing a phishing assault that lured customers with a pretend delivery discover.
The researchers discovered that the attachment was disguised as a RAR archive and the malware leveraged the AutoIt scripting language to automate malicious duties.
Supply: Notion Level
Hiding malware in “broken” ZIPs
The primary stage of the assault is the preparation, the place the risk actors create two or extra separate ZIP archives and conceal the malicious payload in one in every of them, leaving the remaining with innocuous content material.
Subsequent, the separate information are concatenated into one by appending the binary knowledge of 1 file to the opposite, merging their contents into one mixed ZIP archive.
Though the ultimate consequence seems as one file, it incorporates a number of ZIP constructions, every with its personal central listing and finish markers.
Supply: Notion Level
Exploiting ZIP app flaws
The subsequent section of the assault depends on how ZIP parsers deal with concatenated archives. Notion Level examined 7zip, WinRAR, and Home windows File Explorer to totally different outcomes:
- 7zip solely reads the primary ZIP archive (which may very well be benign) and will generate a warning about extra knowledge, which customers could miss
- WinRAR reads and shows each ZIP constructions, revealing all information, together with the hidden malicious payload.
- Home windows File Explorer could fail to open the concatenated file or, if renamed with a .RAR extension, may show solely the second ZIP archive.
Relying on the app’s habits, the risk actors could fine-tune their assault, corresponding to hiding the malware within the first or the second ZIP archive of the concatenation.
Attempting the malicious archive from the assault on 7Zip, Notion Level researchers noticed that solely a innocent PDF file was proven. Opening it with Home windows Explorer, although, revealed the malicious executable.
Supply: Notion Level
To defend towards concatenated ZIP information, Notion Level means that customers and organizations use safety options that help recursive unpacking.
Typically, emails attaching ZIPs or different archive file sorts needs to be handled with suspicion, and filters needs to be carried out in essential environments to dam the associated file extensions.
