Hackers bury malware in new ZIP file attack — combining multiple ZIPs into one bypasses antivirus protections

(Image credit: Shutterstock)

Security researchers have discovered that malicious actors have been using ZIP file concatenation to avoid the detection of the malware within. This technique involves combining multiple ZIP files, with the malware stored in one of the inner archives, making it harder for anti-malware software to discover. Furthermore, researchers at Perception Point (h/t BleepingComputer) noted that the different ways the three most popular file archivers — 7zip, WinRAR, and Windows File Explorer — handle concatenated archives affect detection rates in this type of attack.

ZIP files usually have a single central directory which tells the archiving software where each individual file is located within the archive and where its data starts and ends. However, concatenated archives have two or more central directories, with the file archiver only opening one central directory when a user previews its contents. For example, 7zip only shows the first central directory, while WinRAR would show the second one. On the other hand, Windows File Explorer outright refuses to open concatenated ZIP files (but it would open the second directory if the file is renamed as a .RAR file).

So, if the malicious file is stored in the second directory, users who unpack it using 7zip won’t see the malware at all — only the benign first directory is seen and unpacked. The only indication that there’s another file in the archive is the warning that appears in the extraction window; “There are some data after the end of the payload data”. But if you use WinRAR or Windows File Explorer (with a concatenated .RAR archive), you would be able to see and unpack the malware file.

Note that this is likely an intended behavior based on the popular use cases of some archival software. Most tech-savvy users, including developers and cybersecurity professionals, favor 7zip. So, if they open the suspect file, usually delivered via a phishing email, they won’t see the malicious program, allowing the attack vector to fly under the radar. On the other hand, some would open the archive directly on Windows File Explorer or in WinRAR. Given that the file is delivered via a phishing email, the non-tech savvy users are the obvious targets of this attack. When they open the infected file, it could then connect to the internet to download ransomware, banking trojans, and other types of more advanced malware.

This isn’t the first malicious attack that has taken advantage of the quirks and features of archival software. For example, a security researcher previously discovered the ‘Zip Bomb’ attack where a single 46MB archive expanded into a massive 4.5PB folder, potentially crashing the system opening it. In context, that amount of storage is equal to 4.5 billion high-quality photos at 1MB each or more than 366 years of HD video if one hour consumes 1.4GB. This shows that while security software is an important part of cybersecurity, knowing which files are suspect is still the user’s first line of defense.

Jowi Morales is a tech enthusiast with years of experience working in the industry. He’s been writing with several tech publications since 2021, where he’s been interested in tech hardware and consumer electronics.

Latest

A die photo of the original Pentium processor with its blocks labeled. The image is made of red and brown blocks, with one tiny segment zoomed and enhanced into.

30-year-old Pentium FDIV bug tracked down in the silicon — Ken Shirriff takes the microscope to Intel's first-ever recall

See more latest ►

9 Comments Comment from the forums

COLGeek

Another threat that downloaders of illicit software are more likely to experience than any legit users.

If this is you, be prepared to be infected. Only download from safe sites.

If you pirate software, you may get to experience this first hand. Just don't do it.

As a reminder, Tom's Hardware does NOT support any form of software piracy. None. Period.
Reply
kyzarvs

I'm sure I had this issue in the 90's. Is this really still a thing?
Reply
Rob1C

As old as Russian nesting dolls
Reply
Pemalite

In other news, water is wet.

I remember Kaspersky had an option for a "deep scan" of multi-deep RAR/ZIP files over a decade ago, but otherwise would ignore it.
Reply
TJ Hooker

Pemalite said:
In other news, water is wet.

I remember Kaspersky had an option for a "deep scan" of multi-deep RAR/ZIP files over a decade ago, but otherwise would ignore it.
If you're thinking this vulnerability involves nested/recursive archives, that is not the case.
Reply
cryoburner

COLGeek said:
Another threat that downloaders of illicit software are more likely to experience than any legit users.

If this is you, be prepared to be infected. Only download from safe sites.

If you pirate software, you may get to experience this first hand. Just don't do it.

As a reminder, Tom's Hardware does NOT support any form of software piracy. None. Period.
The article was talking about this being used in phishing emails targeting less-tech-savvy users, not mentioning piracy once. The point is that there can be a zip file that displays one set of files when opened in 7zip, while displaying another set of files when opened in Windows Explorer, or both sets of files when opened in WinRar. So a person or malware scanner opening the file using one extraction utility might only see the safe files, assuming the contents of the archive to be safe, while another person opening it with a different utility would get a different set of files that include an unsafe payload. Reading the actual article that this one was rehashing, the example found to be doing this was an email disguised as a shipping invoice with an attached archive that only appeared to contain a safe PDF document when opened in 7zip, but that instead contained an executable file when opened in Windows Explorer. It wasn't clear about how many antimalware utilities might actually miss such a file, though this is something that should be detectable if they look for it.
Reply
COLGeek

cryoburner said:
The article was talking about this being used in phishing emails targeting less-tech-savvy users, not mentioning piracy once. The point is that there can be a zip file that displays one set of files when opened in 7zip, while displaying another set of files when opened in Windows Explorer, or both sets of files when opened in WinRar. So a person or malware scanner opening the file using one extraction utility might only see the safe files, assuming the contents of the archive to be safe, while another person opening it with a different utility would get a different set of files that include an unsafe payload. Reading the actual article that this one was rehashing, the example found to be doing this was an email disguised as a shipping invoice with an attached archive that only appeared to contain a safe PDF document when opened in 7zip, but that instead contained an executable file when opened in Windows Explorer. It wasn't clear about how many antimalware utilities might actually miss such a file, though this is something that should be detectable if they look for it.
Note, the article said "usually". Those who "sail the seven seas" often use questionable sites to download all sorts of files, including some like mentioned in the article.
Reply
nrdwka

COLGeek said:
Note, the article said "usually". Those who "sail the seven seas" often use questionable sites to download all sorts of files, including some like mentioned in the article.
And they are usually more tech savvy to avoid malwares as routine of avoiding rifs:) Especially compared to average office worker.
Reply
COLGeek

nrdwka said:
And they are usually more tech savvy to avoid malwares as routine of avoiding rifs:) Especially compared to average office worker.
I highly doubt that, but okay. Aside from that, it is still very wrong to steal.
Reply

Show more comments

Stay On the Cutting Edge: Get the Tom's Hardware Newsletter

Most Popular