Hacker News: Hackers now use ZIP file concatenation to evade detection

Source URL: https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/
Source: Hacker News
Title: Hackers now use ZIP file concatenation to evade detection

Feedly Summary: Comments

AI Summary and Description: Yes

Summary: The text discusses a new technique employed by hackers that utilizes concatenated ZIP files to deliver malicious payloads, evading detection by common security solutions. This emerging threat highlights the need for robust security measures, particularly involving email attachments and archive files.

Detailed Description: The document details a novel method used by threat actors to deliver malware, specifically through the manipulation of ZIP file structures. This method poses significant implications for information security, especially for organizations that rely on email communication and file sharing.

Key points include:

– **Technique Overview**: Hackers are exploiting ZIP file concatenation to deliver trojans hidden within ostensibly harmless files.
– **Phishing Attack**: A specific instance was observed where a phishing email masqueraded the malicious payload as a RAR archive, misleading users into executing the malware.
– **File Structure Manipulation**: The technique involves creating multiple ZIP archives (one of which contains malware) and then concatenating them into a single file format, which confounds standard parsing methods.
– **ZIP Parser Behavior**: The research highlighted how various ZIP parsers handle these concatenated files differently:
– **7zip**: Reads and displays only the first ZIP archive, potentially hiding the malicious payload.
– **WinRAR**: Accurately displays all contained files, revealing the hidden malware.
– **Windows File Explorer**: Often fails to open these concatenated files or misrepresents their contents based on file extension changes.
– **Adaptive Attacks**: Attackers can adjust their strategies based on the ZIP parser’s behavior to improve their chances of delivering malicious payloads undetected.
– **Defense Recommendations**:
– Organizations should implement security tools that support recursive unpacking of ZIP files.
– Treating emails with ZIP attachments with suspicion and implementing filtering measures for potentially harmful file types is advised.

Overall, the findings underscore the importance of adapting security measures to counter innovative attack methods in email security and information protection. Security professionals should be vigilant about this new vector for malware distribution and ensure their systems can effectively detect and analyze concatenated ZIP files.