Hackers now use ZIP file concatenation to evade detection

Hackers are targeting Windows workstations with the ZIP file concatenation technique to deliver malicious payloads in compressed archives that are not detected by security solutions.

The technique takes use of the various ways ZIP parsers and archive managers handle concatenated ZIP files.

Perception Point detected a concatenated ZIP archive containing a trojan while researching a phishing attempt that tempted users with a bogus delivery notice.

The researchers discovered that the attachment was disguised as a RAR archive, and the virus used the AutoIt scripting language to perform destructive actions.

Hide malware in "broken" ZIPs.

The first stage of the assault is preparation, which involves the threat actors creating two or more different ZIP archives and hiding the harmful payload in one of them while leaving the others with harmless content.

The individual files are then concatenated into one by adding the binary data from one to the other, resulting in a single unified ZIP archive.

Although the final product looks to be a single file, it actually comprises many ZIP structures, each with its own central directory and end marker.

Exploiting ZIP application weaknesses

The second part of the attack is based on how ZIP parsers handle concatenated archives. Perception Point evaluated 7zip, WinRAR, and Windows File Explorer with varying results.

• 7zip only reads the initial ZIP archive (which could be benign) and may generate a warning about further files, which users may overlook.
• WinRAR reads and displays both ZIP structures, exposing all files, including the concealed malicious payload.
• Windows File Explorer may fail to open the concatenated file or, if renamed with a.RAR extension, may only see the second ZIP archive.

Depending on the app's activity, the threat actors may fine-tune their attack, such as hiding the malware in the concatenation's first or second ZIP archive.

Perception Point researchers tested the malicious archive from the 7Zip assault and discovered that it simply displayed a harmless PDF file. However, opening it in Windows Explorer showed the malicious application.

To protect against concatenated ZIP files, Perception Point recommends that consumers and organizations adopt security solutions that support recursive unpacking.

In general, emails containing ZIPs or other archive file formats should be viewed with suspicion, and filters should be established in critical environments to block the associated file extensions.

Source: Bleeping Computer