bleepingcomputer[.]com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/
Hackers are combining 2 ZIP files, one innocent & one with malware, with the result sometimes disguised as a RAR file.
Hackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without security solutions detecting them.The technique exploits the different methods ZIP parsers and archive managers handle concatenated ZIP files.
This new trend was spotted by Perception Point, who discovered a a concatentated ZIP archive hiding a trojan while analyzing a phishing attack that lured users with a fake shipping notice.
The researchers found that the attachment was disguised as a RAR archive and the malware leveraged the AutoIt scripting language to automate malicious tasks.
The next phase of the attack relies on how ZIP parsers handle concatenated archives. Perception Point tested 7zip, WinRAR, and Windows File Explorer to different results:7zip only reads the first ZIP archive (which could be benign) and may generate a warning about additional data, which users may miss
WinRAR reads and displays both ZIP structures, revealing all files, including the hidden malicious payload.
Windows File Explorer may fail to open the concatenated file or, if renamed with a .RAR extension, might display only the second ZIP archive.Depending on the app’s behavior, the threat actors may fine-tune their attack, such as hiding the malware in the first or the second ZIP archive of the concatenation.