Cybercriminals are constantly evolving their methods to evade detection, with one of the latest techniques involving the use of concatenated ZIP archives. This strategy allows them to conceal malicious files from antivirus programs and deceive security researchers who rely on analysis tools.
The discovery of this technique was made by specialists at Perception Point, who encountered a phishing email containing a fake delivery notice along with an attached archive. While the archive appeared to be a RAR file at first glance, it actually contained a Trojan designed to carry out malicious activities undetected.
In this type of attack, threat actors create multiple separate ZIP archives, with the malicious software placed in one of them and the others containing empty or harmless files. By combining these files into a single archive, the binary data of one file is appended to another, creating the appearance of a normal ZIP file that actually contains several hidden archives.
Various software programs interpret these concatenated ZIP archives differently, resulting in the malicious files remaining obscured to most antivirus programs. The three most commonly used utilities affected by this technique are 7zip, Winrar, and Windows Explorer, with each program handling the archives in a unique manner.
- 7zip typically only shows the contents of the first archive and may issue a warning about additional data, which many users overlook.
- Winrar displays files from the last central catalog, revealing any hidden malicious content.
- Windows Explorer may either fail to open the file or display only a portion of the contents. If the file is renamed with a .RAR extension, only the second archive may be visible.
In one instance of this technique being employed, cybercriminals sent a Trojan disguised as delivery documents under the name “shipping_inv_pl_bl_pdf.rar”. Despite the .RAR extension implying it was an archive, the file was actually a concatenated ZIP archive.
When opened in 7zip, only a harmless PDF document was shown. However, opening the same file in Winrar or Windows Explorer revealed the presence of malicious files such as “shipping_inv_pl_bl_pdf.exe”, which turned out to be the Trojan executing harmful scripts.
Furthermore, attackers can leverage the scripting language Autoit to obfuscate processes and facilitate the creation and dissemination of malware, further complicating detection and mitigation efforts.