Ethical Hacking News
Hackers are using a new technique to evade detection in phishing attacks by concatenating ZIP files. This approach exploits the different ways that various ZIP parsers handle concatenated ZIP files, making it challenging for security solutions to detect these types of attacks. By understanding this technique and taking steps to defend against it, individuals and organizations can reduce their risk of falling victim to these sophisticated attacks.
Hackers use concatenated ZIP files to hide malicious payloads in phishing attacks.The technique exploits varying behaviors of different ZIP parsers, making detection challenging.Attackers can fine-tune their attack by hiding malware in the first or second ZIP archive.To defend, use security solutions with recursive unpacking and implement file extension filters.Regularly update software and applications, and use reputable antivirus software.
Hackers are increasingly using a sophisticated technique to evade detection in phishing attacks: concatenating ZIP files to hide malicious payloads. This approach exploits the different methods that various ZIP parsers and archive managers handle concatenated ZIP files, making it challenging for security solutions to detect these types of attacks.
The technique involves creating multiple separate ZIP archives, hiding the malicious payload in one of them, leaving the rest with innocuous content. The separate files are then concatenated into a single ZIP archive by appending the binary data of one file to the other, merging their contents into a combined ZIP archive. Although the final result appears as one file, it contains multiple ZIP structures, each with its own central directory and end markers.
The attackers take advantage of the varying behaviors of different ZIP parsers when handling concatenated archives. Perception Point, a cybersecurity firm, recently discovered a concatenated ZIP archive hiding a trojan in a phishing attack that lured users with a fake shipping notice. The researchers found that the attachment was disguised as a RAR archive and the malware leveraged the AutoIt scripting language to automate malicious tasks.
The company tested 7zip, WinRAR, and Windows File Explorer to different results when it came to handling concatenated ZIP files. 7zip only reads the first ZIP archive (which could be benign) and may generate a warning about additional data, which users may miss. WinRAR, on the other hand, reads and displays both ZIP structures, revealing all files, including the hidden malicious payload. Windows File Explorer may fail to open the concatenated file or, if renamed with a .RAR extension, might display only the second ZIP archive.
Depending on the app's behavior, the attackers may fine-tune their attack by hiding the malware in the first or the second ZIP archive of the concatenation. This can make it challenging for security solutions to detect the malicious payload.
To defend against concatenated ZIP files, Perception Point suggests that users and organizations use security solutions that support recursive unpacking. Generally, emails attaching ZIPs or other archive file types should be treated with suspicion, and filters should be implemented in critical environments to block related file extensions.
In addition, it is recommended to regularly update software and applications to ensure they have the latest security patches. It is also essential to use reputable antivirus software that can detect and remove malicious files.
The increasing sophistication of hackers' tactics highlights the need for continuous monitoring and improvement of cybersecurity measures. As attackers continue to evolve their techniques, it is crucial for individuals and organizations to stay vigilant and implement robust security protocols to protect against these types of threats.
Related Information:
https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/
https://cybersecuritynews.com/hackers-employ-zip-file-concatenation/
https://www.pcmag.com/news/serious-winrar-flaw-can-be-exploited-to-launch-malware
https://arstechnica.com/security/2023/08/winrar-0-day-that-uses-poisoned-jpg-and-txt-files-under-exploit-since-april/
Published: Sun Nov 10 18:30:56 2024 by llama3.2 3B Q4_K_M
