Analysis Summary

The ZIP file concatenation technique is being used by threat actors to target Windows computers and deliver malicious payloads in compressed files that are undetectable by security solutions. The method leverages the various ways archive managers and ZIP parsers handle concatenated ZIP files.

Researchers noticed this new tendency as they were examining a phishing attempt that tricked users with a phony delivery notice and found a concatenated ZIP archive containing a trojan. The researchers discovered that the malware used the AutoIt programming language to automate harmful actions and that the attachment was masquerading as a RAR package.

The preparatory phase of the attack is when the threat actors make two or more distinct ZIP files and conceal the malicious payload in one of them while leaving the others with harmless content. The binary information from one file is then appended to the other, concatenating the disparate files into a single ZIP archive. Despite seeming like a single file, the final product contains several ZIP structures, each with its own end markers and central directory.

How ZIP parsers handle concatenated archives determines the attack's next stage. Researchers evaluated Windows File Explorer, WinRAR, and 7zip with varying outcomes:

• 7zip may generate a warning concerning additional material that users could overlook, but it only reads the initial ZIP archive, which may be harmless.
• After reading and displaying both ZIP structures, WinRAR makes all of the files—including the dangerous payload—visible.
• The concatenated file might not open in Windows File Explorer, or it might only show the second ZIP archive if it has been renamed with a .RAR extension.

Threat actors may modify their attack, such as concealing the malware in the first or second ZIP archive of the concatenation, based on how the app behaves. When researchers tried the malicious archive from the attack on 7Zip, they only saw a harmless PDF file. However, the malicious application was discovered when Windows Explorer was used to open it.

Researchers advise consumers and organizations to employ security solutions that offer recursive unpacking in order to protect against concatenated ZIP files. Filters should be put in place in sensitive environments to prohibit the associated file extensions, and emails that attach ZIP files or other archive file formats should generally be viewed with suspicion.

Impact

• Security Bypass
• Code Execution

Remediation

• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.