Flexible Structure of Zip Archives Exploited to Hide Malware Undetected

Threat actors are exploiting the various ways that zip files combine multiple archives into one file as an anti-detection tactic in phishing attacks that deliver various Trojan malware strains, including SmokeLoader.

Attackers are abusing the structural flexibility of zip files through a technique known as concatenation, a method that involves appending multiple zip archives into a single file, new research from Perception Point has found. In this method, the combined file appears as one archive that actually contains multiple central directories, each pointing to different sets of file entries.

However, "this discrepancy in handling concatenated zips allows attackers to evade detection tools by hiding malicious payloads in parts of the archive that some zip readers cannot or do not access," Arthur Vaiselbuh, Windows internals engineer, and Peleg Cabra, product marketing manager from Perception Point, wrote in a recent blog post.

Abusing concatenation allows attackers to hide malware in zip files that even readers aimed at parsing the files for in-depth analysis, including 7.zip or OS-native tools, may not detect, according to Perception Point.

"Threat actors know these tools will often miss or overlook the malicious content hidden within concatenated archives, allowing them to deliver their payload undetected and target users who use a specific program to work with archives," Vaiselbuh and Cabra noted in the post.

How to Exploit Zip Files

To illustrate how zip files can be misused, the post breaks down the different ways that three popular zip archive readers — 7.zip, Windows File Explorer, and WinRAR — handle concatenated zip files.

7.zip, for example, will only display the contents of the first archive and then may display a warning that "there are some data after the end of the archive." However, this message often is overlooked and thus malicious files may not be detected, the researchers noted.

Windows File Explorer demonstrates different potential for malicious use as it "may fail to open the file altogether or, if renamed to .rar, will display only the 'malicious' second archive’s contents," according to the post. "In both cases, its handling of such files leaves gaps if used in a security context," Vaiselbuh and Cabra wrote.

WinRAR takes a different tack in that it actually reads the second central directory and displays the contents of the second and potentially malicious archive, making it "a unique tool in revealing the hidden payload," they added.

Ultimately, though sometimes these readers detect the malicious activity, the different ways that each reader handle concatenated files leaves room for exploit, leading to varying outcomes and potential security implications, according to Perception Point.

Phishing Attack Vector

The phishing attack that exploits concatenation observed by Perception Point starts with an email that purports to come from a shipping company and uses urgency to bait users. The email is marked with "High Importance" and includes an attachment, SHIPPING_INV_PL_BL_pdf.rar, sent under the guise that it's a shipping document that must be reviewed before a shipment can be completed.

The attached file appears to be a rar archive due to its .rar extension, but is actually a concatenated zip file, deliberately disguised to confuse the user not only by exploiting trust associated with rar files, but also bypassing basic detections that might rely on file extensions for initial file assessments, according to the post.

The file contains a variant of the known Trojan malware family SmokeLoader that's designed to automate malicious tasks such as downloading and executing additional payloads, which could include other types of malware, such as banking Trojans or ransomware.

However, when tested, only two of the three tools that parse zip files actually detected that there is a potentially malicious archive in the file, according to the post. Opening the attachment using 7.zip reveals only a benign-looking PDF titled "x.pdf," which appears to be an innocent shipping document. On the other hand, both Windows File Explorer or WinRAR fully expose the hidden danger.

"Both tools display the contents of the second archive, including the malicious executable SHIPPING_INV_PL_BL_pdf.exe, which is designed to run and execute the malware," Vaiselbuh and Cabra wrote.

Mitigation of a Persistent Issue

Perception Point security researchers contacted the developers of 7.zip to address the behavior they observed between its reader and of concatenated zip files, according to the post. However, their response did not acknowledge that it is any kind of vulnerability.

"The developer confirmed that it is not a bug and is considered intentional functionality — meaning this behavior is unlikely to change, leaving the door open for attackers to continue exploiting it," Vaiselbuh and Cabra wrote.

Given that the risk continues to exist for the observed attack vector to abuse these files in phishing attacks, users are urged to approach any email sent from an unknown entity that requires them to take immediate action by opening an unsolicited file with caution.

Enterprises also are encouraged to use advanced security tools that detect when a zip archive (or a malformed rar archive) is concatenated and recursively extract every layer. This type of analysis can ensure "that no hidden threats are missed, regardless of how deeply they are buried — deeply nested or concealed payloads are revealed for further analysis," Vaiselbuh and Cabra wrote.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!