Security researchers have discovered that malicious actors have been using ZIP file concatenation to avoid the detection of the malware within. This technique involves combining multiple ZIP files, with the malware stored in one of the inner archives, making it harder for anti-malware software to discover. Furthermore, researchers at Perception Point (h/t BleepingComputer) noted that the different ways the three most popular file archivers — 7zip, WinRAR, and Windows File Explorer — handle concatenated archives affect detection rates in this type of attack.
ZIP files usually have a single central directory which tells the archiving software where each individual file is located within the archive and where its data starts and ends. However, concatenated archives have two or more central directories, with the file archiver only opening one central directory when a user previews its contents. For example, 7zip only shows the first central directory, while WinRAR would show the second one. On the other hand, Windows File Explorer outright refuses to open concatenated ZIP files (but it would open the second directory if the file is renamed as a .RAR file).
So, if the malicious file is stored in the second directory, users who unpack it using 7zip won’t see the malware at all — only the benign first directory is seen and unpacked. The only indication that there’s another file in the archive is the warning that appears in the extraction window; “There are some data after the end of the payload data”. But if you use WinRAR or Windows File Explorer (with a concatenated .RAR archive), you would be able to see and unpack the malware file.
Note that this is likely an intended behavior based on the popular use cases of some archival software. Most tech-savvy users, including developers and cybersecurity professionals, favor 7zip. So, if they open the suspect file, usually delivered via a phishing email, they won’t see the malicious program, allowing the attack…
Read full post on Tom’s Hardware
Discover more from Technical Master - Gadgets Reviews, Guides and Gaming News
Subscribe to get the latest posts sent to your email.
