Hackers bury malware in new ZIP file attack — combining multiple ZIPs into one bypasses antivirus protections

Security researchers have discovered that malicious actors have been using ZIP file concatenation to avoid the detection of the malware within. This technique involves combining multiple ZIP files, with the malware stored in one of the inner archives, making it harder for anti-malware software to discover. Furthermore, researchers at Perception Point (h/t BleepingComputer) noted that the different ways the three most popular file archivers — 7zip, WinRAR, and Windows File Explorer — handle concatenated archives affect detection rates in this type of attack.

ZIP files usually have a single central directory which tells the archiving software where each individual file is located within the archive and where its data starts and ends. However, concatenated archives have two or more central directories, with the file archiver only opening one central directory when a user previews its contents. For example, 7zip only shows the first central directory, while WinRAR would show the second one. On the other hand, Windows File Explorer outright refuses to open concatenated ZIP files (but it would open the second directory if the file is renamed as a .RAR file).

So, if the malicious file is stored in the second directory, users who unpack it using 7zip won’t see the malware at all — only the benign first directory is seen and unpacked. The only indication that there’s another file in the archive is the warning that appears in the extraction window; “There are some data after the end of the payload data”. But if you use WinRAR or Windows File Explorer (with a concatenated .RAR archive), you would be able to see and unpack the malware file.

Note that this is likely an intended behavior based on the popular use cases of some archival software. Most tech-savvy users, including developers and cybersecurity professionals, favor 7zip. So, if they open the suspect file, usually delivered via a phishing email, they won’t see the malicious program, allowing the attack vector to fly under the radar. On the other hand, some would open the archive directly on Windows File Explorer or in WinRAR. Given that the file is delivered via a phishing email, the non-tech savvy users are the obvious targets of this attack. When they open the infected file, it could then connect to the internet to download ransomware, banking trojans, and other types of more advanced malware.

This isn’t the first malicious attack that has taken advantage of the quirks and features of archival software. For example, a security researcher previously discovered the ‘Zip Bomb’ attack where a single 46MB archive expanded into a massive 4.5PB folder, potentially crashing the system opening it. In context, that amount of storage is equal to 4.5 billion high-quality photos at 1MB each or more than 366 years of HD video if one hour consumes 1.4GB. This shows that while security software is an important part of cybersecurity, knowing which files are suspect is still the user’s first line of defense.