Threat Actors Use ZIP File Concatenation to Evade Detection
/ 4 min read
Quick take - Threat actors are increasingly using ZIP file concatenation to embed malware that targets various ZIP readers, complicating detection efforts by security solutions and researchers due to the differing ways these readers interpret ZIP file structures.
Fast Facts
- Threat actors are using ZIP file concatenation to embed malware, complicating detection efforts by security solutions and researchers.
- The ZIP format’s structural flexibility allows attackers to exploit differences in how various ZIP readers interpret file structures, concealing malicious content.
- Analysis of popular ZIP readers (7zip, WinRAR, Windows File Explorer) shows significant discrepancies in handling concatenated ZIP files, affecting visibility of hidden payloads.
- A real-life example involved Trojan malware disguised as a shipping document delivered via a concatenated ZIP file, which bypassed basic detection mechanisms.
- In response to these challenges, Perception Point developed the Recursive Unpacker tool to enhance detection of advanced malware by recursively extracting all layers of ZIP archives.
Threat Actors Utilize ZIP File Concatenation to Evade Detection
Threat actors are increasingly utilizing innovative methods to evade detection, particularly through a technique known as ZIP file concatenation. This tactic allows attackers to embed malware that specifically targets various ZIP readers and archive managers, complicating the efforts of security solutions and researchers who employ different analysis methods.
Understanding ZIP File Structure
The ZIP format, commonly used for compressing and bundling files, facilitates file size reduction and simplifies transfers. However, its structural flexibility can be exploited for malicious purposes. Key components of a ZIP file include:
- File Entries: Contain compressed files or folders along with metadata such as file name, size, and modification date.
- Central Directory: An index located at the end of the ZIP that lists file entries and their offsets.
- End of Central Directory (EOCD): Marks the conclusion of the central directory and holds metadata like the total number of file entries.
Attackers exploit discrepancies in how various ZIP readers interpret ZIP file structures to conceal malicious content. An analysis of three popular ZIP readers—7zip, WinRAR, and Windows File Explorer—reveals significant differences in their handling of concatenated ZIP files.
The Risks of Concatenated ZIP Files
Concatenated ZIPs involve appending multiple ZIP archives into a single file, resulting in multiple central directories. The way different ZIP readers process these concatenated files can affect the visibility of hidden content. For instance, when two legitimate ZIP files (pt1.zip and pt2.zip) are combined into one (combined.zip), the second central directory takes precedence, influencing what is visible to each ZIP reader.
- 7zip: May display only the contents of the first archive and issue a warning about extra data.
- WinRAR: Can reveal the contents of the second archive, including any potentially malicious files.
- Windows File Explorer: May struggle to open concatenated ZIPs or might only display the contents of the second archive if it has been renamed.
This varied processing of concatenated ZIPs presents significant security implications, as attackers exploit these discrepancies to deliver payloads unnoticed, specifically targeting users of particular ZIP handling programs.
Real-Life Example and Response
A real-life example of this tactic involved Trojan malware disguised as a shipping document, delivered via a concatenated ZIP file in a phishing email. The email contained a file named SHIPPING_INV_PL_BL_pdf.rar, which was actually a concatenated ZIP file. The deception extended to the file name and extension, designed to bypass basic detection mechanisms.
When the concatenated file was opened with 7zip, it revealed only a benign PDF document, while Windows File Explorer and WinRAR exposed the malicious executable hidden within. This executable was identified as a variant of a trojan malware family that employed the AutoIt scripting language for its malicious activities.
In response to these security challenges, Perception Point’s security researchers contacted the developers of 7zip regarding the behavior of concatenated ZIP files, which was confirmed as an intentional feature. Traditional detection tools often struggle to unpack concatenated ZIPs, leading to overlooked hidden payloads. To combat this, Perception Point developed the Recursive Unpacker, a tool that recursively extracts every layer of a ZIP archive to uncover hidden threats. This innovative solution enables dynamic analysis of the extracted contents, enhancing the detection of advanced malware and loaders.
Original Source: Read the Full Article Here
