- Scammers can merge multiple ZIP archives into a single file
- Archiving software rarely reads or displays all merged archives
- As a result, scammers can sneak malware onto a device
Hackers are using the chain of ZIP files to bypass security solutions and infect their targets with malware via email messages, experts warn.
A report from cybersecurity researchers Perception Point outlines how they recently observed such a campaign while analyzing a phishing attack.
ZIP file concatenation is a type of attack that involves merging multiple ZIP files into one to trick archivers and antivirus solutions.
Alleviate the problem
As Perception Point explains, the crooks created two (or more) ZIP archives: one completely benign, perhaps containing a clean .PDF file or something similar, and one containing the malware. They then added the ZIP files into a single file that, although it appeared as one file, contained multiple central folders pointing to different sets of file items.
Different archive programs, such as Winzip, WinRaR, 7zip and others, handle these types of files differently, allowing criminals to bypass cybersecurity solutions and infect the target device. For example, 7zip only reads the first ZIP archive, which can lead to compromises. However, it may alert the user to additional data. WinRaR will read all ZIP structures and reveal the malware, while Windows File Explorer will only display the second ZIP archive.
In practice, this would mean that the crooks would send the usual phishing email, ‘warning’ the victim of an outstanding invoice or undelivered package. The victim would download and run the attachment, unknowingly becoming infected with a Trojan or similar malware.
Perception Point argues that “traditional detection tools” often fail to extract and fully parse such ZIP files, and proposes its own solution (who would think?).
“By recursively analyzing each layer, it ensures no hidden threats are missed, no matter how deeply hidden they are. Deeply nested or hidden charges are revealed for further analysis.”
However, if you’re careful with email attachments and don’t download things from unconfirmed sources, you’ll be safe anyway.
Via BleepingComputer