Man
Professional
- Messages
- 3,121
- Reaction score
- 688
- Points
- 113
Merged ZIP files are a game-changer in cybersecurity.
Cybercriminals continue to look for new ways to bypass protection, and one of the new techniques is to combine ZIP archives. This method hides malicious files from antiviruses and misleads researchers who use analysis tools
The technique was discovered by Perception Point specialists when they studied a phishing email. The email contained a fake delivery notice with an archive attached. At first glance, the archive looked like a RAR file, but inside it was a Trojan to automate malicious actions.
The essence of the attack is that the attackers create two or more separate ZIP archives. Malware is placed in one of them, and the rest are left empty or with safe files. The files are then combined into a single archive by simply appending the binary data of one file to another. The result is a file that looks like a regular ZIP, but actually contains multiple archives inside.
Different programs see these directories differently, which is why malicious files remain hidden for most antiviruses. The three most commonly used utilities are 7zip, WinRAR, and Windows Explorer. Each of them handles the merged ZIP archives differently:
In one incident, cybercriminals sent a Trojan disguised as delivery documents. The letter contained an attachment with the name «SHIPPING_INV_PL_BL_pdf.rar". Although the extension did .rar hint at an archive, the file was actually a combined ZIP.
When opened in 7zip, only a harmless PDF document was displayed. But if you opened the same file using WinRAR or Windows Explorer, malicious files like «SHIPPING_INV_PL_BL_pdf.exe would immediately become visible." The executable turned out to be a Trojan that uses AutoIt scripts to automatically execute malicious tasks, such as downloading other malware.
To protect against such attacks, experts advise using security systems that can unpack nested archives. It is also important to be more attentive to emails with attachments and set up filters to block such files.
Source
Cybercriminals continue to look for new ways to bypass protection, and one of the new techniques is to combine ZIP archives. This method hides malicious files from antiviruses and misleads researchers who use analysis tools
The technique was discovered by Perception Point specialists when they studied a phishing email. The email contained a fake delivery notice with an archive attached. At first glance, the archive looked like a RAR file, but inside it was a Trojan to automate malicious actions.
The essence of the attack is that the attackers create two or more separate ZIP archives. Malware is placed in one of them, and the rest are left empty or with safe files. The files are then combined into a single archive by simply appending the binary data of one file to another. The result is a file that looks like a regular ZIP, but actually contains multiple archives inside.
Different programs see these directories differently, which is why malicious files remain hidden for most antiviruses. The three most commonly used utilities are 7zip, WinRAR, and Windows Explorer. Each of them handles the merged ZIP archives differently:
- 7zip: Only shows the contents of the first archive and may warn you about additional data, but many users miss this notification.
- WinRAR: Displays files from the last central directory, allowing you to see hidden malicious content.
- Windows Explorer: The file may not open or show only part of the content, or if it is renamed to .RAR format, it may show only the second archive.
In one incident, cybercriminals sent a Trojan disguised as delivery documents. The letter contained an attachment with the name «SHIPPING_INV_PL_BL_pdf.rar". Although the extension did .rar hint at an archive, the file was actually a combined ZIP.
When opened in 7zip, only a harmless PDF document was displayed. But if you opened the same file using WinRAR or Windows Explorer, malicious files like «SHIPPING_INV_PL_BL_pdf.exe would immediately become visible." The executable turned out to be a Trojan that uses AutoIt scripts to automatically execute malicious tasks, such as downloading other malware.
To protect against such attacks, experts advise using security systems that can unpack nested archives. It is also important to be more attentive to emails with attachments and set up filters to block such files.
Source
