Threat actors are increasingly obtaining access to corporate systems using malware smuggled in ZIP files, it has emerged. According to the cybersecurity provider Perception Point, this new evasion technique uses ZIP file concatenation to deploy undetected malware onto Windows systems. The method capitalises on differences in how various ZIP readers and archive managers process concatenated ZIP files, allowing threat actors to embed malicious payloads that evade security solutions and mislead analysts relying on common ZIP tools.
Commonly used for compressing and bundling files, the ZIP file format includes structural elements such as file entries, a central directory and an end-of-central directory (EOCD) record which enables efficient file handling.
This flexibility, however, also makes it susceptible to exploitation. By appending multiple archives into a single file and creating multiple central directories that certain ZIP readers overlook, it is possible to smuggle malware past cybersecurity filters. Additionally, said Perception Point, popular tools such as 7zip, WinRAR, and Windows File Explorer interpret concatenated ZIPs differently, leading to varying levels of visibility for hidden content.
For instance, 7zip only displays files from the initial archive, while WinRAR exposes the second central directory and displays the contents of the second archive, including potentially malicious files. Windows File Explorer, meanwhile, may fail to open concatenated ZIPs entirely or only partially display their contents. By exploiting these variations, attackers can bypass detection on tools that don’t fully parse concatenated files.
Perception Point observed this technique in a recent phishing attack, in which trojan malware was delivered via a concatenated ZIP file attached to a fake shipping notice email. The email, marked as “High Importance,” included an attachment named SHIPPING_INV_PL_BL_pdf.rar, appearing as a legitimate RAR file but concealing malware through concatenation. Opening the file with 7zip displayed an innocent PDF document, but WinRAR and Windows File Explorer revealed an embedded executable designed to deploy the trojan.
Perception Point’s Countermeasure
The trojan malware leverages the AutoIt scripting language to download and execute additional payloads, posing risks such as ransomware and banking trojans. Perception Point’s security researchers reported the issue to 7zip developers, who confirmed that the ZIP handling was intentional, which means the technique remains exploitable.
In response, Perception Point has developed the Recursive Unpacker, a proprietary anti-evasion tool that detects and recursively unpacks concatenated ZIP files to reveal hidden threats. This method allows comprehensive analysis of each layer within an archive, enhancing detection of sophisticated malware that may otherwise go unnoticed.