A significant part of a cybercriminal’s arsenal of tools and techniques is dedicated to evading detection by security solutions such as firewalls and antiviruses. Depending on the nature of the malware that needs to be delivered, the criminal might pick the most suited method of avoiding detection. ZIP File Concatenation is one such method used by cybercriminals to avoid detection. This evasion technique takes advantage of quirks and differences in how ZIP readers(e.g. WinRAR) interpret ZIP file structures, allowing hidden or malicious content to remain undetected by certain tools.
ZIP File Concatenation is a chaining process of sorts that converts multiple ZIP archives into one single file. These concatenated ZIPs, as mentioned before, are handled differently by different ZIP readers some of which are either unable or do not access certain parts of the concatenated file. Attackers can take advantage of this by targeting users of the ZIP readers known to handle archives this way and hiding their malicious files in the parts of the file not accessed by the ZIP reader to evade detection by security tools and successfully infect the victim’s computers. It is important to note that although this concatenation might appear as one file, it actually contains multiple ZIP structures within it, each with its own central directory and end markers. This is what causes the ZIP readers to behave a little differently.
Perception Point, who discovered this technique in the wild while analysing a phishing attack that lured users with a fake shipping notice, ran an experiment with three different archives to see how they handled concatenated archives and the following were their findings:
- 7zip only reads the first ZIP archive up to its end marker and stops there, meaning that any data in the subsequent files would likely evade detection.
- WinRAR reads and displays all structures, including the secret hidden files, meaning that the technique won’t work with this ZIP reader.
- Windows File Explorer fails to open the concatenated file or in some cases, if renamed with a .RAR extension, displays only the second ZIP archive, making this also exploitable in the same way as 7zip.
Please note that everything revealed about the technique in this post is for educational purposes only. We do not condone any use of this information for illegal purposes.
To stay safe from attacks that use this technique to evade detection, follow these quick tips:
- Be Cautious with Email Attachments: Verify unexpected or suspicious emails before opening attachments, especially ZIP files that arrive unexpectedly or have odd extensions.
- Use Robust Security Software: Choose antivirus tools with advanced scanning features, and always keep them updated to detect hidden files in ZIP archives.
- Choose Reliable Extraction Software: Use secure ZIP tools like WinRAR, which displays all files in concatenated archives. Avoid tools like Windows File Explorer, which is Windows’ default but tends to miss hidden content.
- Stay Informed: Do not rely on your antivirus alone. Regularly update yourself on new cybersecurity threats to recognize evolving tactics used by attackers and measures to protect yourself from them.
Visit Our Homepage to learn more about the threats and techniques emerging in the cybersecurity landscape.