https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws + Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues Microsoft fixes bugs causing Windows Server 2025 blue screens, install issues + New ShrinkLocker ransomware decryptor recovers BitLocker password New ShrinkLocker ransomware decryptor recovers BitLocker password + New Google Pixel AI feature analyzes phone conversations for scams New Google Pixel AI feature analyzes phone conversations for scams + Fake AI video generators infect Windows, macOS with infostealers Fake AI video generators infect Windows, macOS with infostealers + T-Mobile confirms it was hacked in recent wave of telecom breaches T-Mobile confirms it was hacked in recent wave of telecom breaches + GitHub projects targeted with malicious commits to frame researcher GitHub projects targeted with malicious commits to frame researcher + Advance your cybersecurity knowledge for just $29.97 in this course deal Advance your cybersecurity knowledge for just $29.97 in this course deal * Tutorials + Latest + Popular + How to access the Dark Web using the Tor Browser How to access the Dark Web using the Tor Browser + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Security * Hackers now use ZIP file concatenation to evade detection * * Hackers now use ZIP file concatenation to evade detection By Bill Toulas * November 10, 2024 * 10:13 AM * 2 Hacker box Hackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without security solutions detecting them. The technique exploits the different methods ZIP parsers and archive managers handle concatenated ZIP files. This new trend was spotted by Perception Point, who discovered a a concatentated ZIP archive hiding a trojan while analyzing a phishing attack that lured users with a fake shipping notice. The researchers found that the attachment was disguised as a RAR archive and the malware leveraged the AutoIt scripting language to automate malicious tasks. Phishing email hiding a trojan in a concatenated ZIP filePhishing email hiding a trojan in a concatenated ZIP file Source: Perception Point Hiding malware in "broken" ZIPs The first stage of the attack is the preparation, where the threat actors create two or more separate ZIP archives and hide the malicious payload in one of them, leaving the rest with innocuous content. Next, the separate files are concatenated into one by appending the binary data of one file to the other, merging their contents into one combined ZIP archive. Although the final result appears as one file, it contains multiple ZIP structures, each with its own central directory and end markers. Internal structure of ZIP filesInternal structure of ZIP files Source: Perception Point Exploiting ZIP app flaws The next phase of the attack relies on how ZIP parsers handle concatenated archives. Perception Point tested 7zip, WinRAR, and Windows File Explorer to different results: * 7zip only reads the first ZIP archive (which could be benign) and may generate a warning about additional data, which users may miss * WinRAR reads and displays both ZIP structures, revealing all files, including the hidden malicious payload. * Windows File Explorer may fail to open the concatenated file or, if renamed with a .RAR extension, might display only the second ZIP archive. Depending on the app's behavior, the threat actors may fine-tune their attack, such as hiding the malware in the first or the second ZIP archive of the concatenation. Trying the malicious archive from the attack on 7Zip, Perception Point researchers saw that only a harmless PDF file was shown. Opening it with Windows Explorer, though, revealed the malicious executable. 7zip (top) and Windows File Explorer (bottom) opening the same file 7zip (top) and Windows File Explorer (bottom) opening the same file Source: Perception Point To defend against concatenated ZIP files, Perception Point suggests that users and organizations use security solutions that support recursive unpacking. Generally, emails attaching ZIPs or other archive file types should be treated with suspicion, and filters should be implemented in critical environments to block the related file extensions. Related Articles: Fraud network uses 4,700 fake shopping sites to steal credit cards Hackers use macOS extended file attributes to hide malicious code Microsoft Exchange adds warning to emails abusing spoofing flaw Linux malware "perfctl" behind years-long cryptomining campaign Scammers target UK senior citizens with Winter Fuel Payment texts * Archive * Concatenation * Evasion * Phishing * Zip * * * * * Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. * Previous Article * Next Article Comments * Cesafro54 Photo Cesafro54 - 4 days ago + + Nice Analysis! * Speeddymon Photo Speeddymon - 4 days ago + + This reminds me of how we accomplished getting root access to Android 2.1 way back in 2010 using a concatenated zip file and exploiting a bug in the Android update tool to insert a modified update package. Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] ThreatLocker Popular Stories * Windows BitLocker New ShrinkLocker ransomware decryptor recovers BitLocker password * Data theft data breach hacker cyberattack New Glove infostealer malware bypasses Chrome's cookie encryption * Data Leak Leaked info of 122 million linked to B2B data aggregator breach Sponsor Posts * Automate all things security in the Blink of AI * Cynet delivers 426% ROI in Forrester Total Economic Impact Study * Solving the painful password problem with better policies * The Actual Cost of Forgotten Passwords * How to leverage $200 million FCC program boosting K-12 cybersecurity Follow us: * * * * * Main Sections * News * VPN Buyer Guides * SysAdmin Software Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT