November 10, 2024 at 06:43PM
Hackers are exploiting ZIP file concatenation to deliver malware undetected on Windows machines. This method involves merging multiple ZIP archives, camouflaging a trojan within a phishing email. Perception Point recommends security solutions capable of recursive unpacking and cautions against trusting emails with ZIP attachments to enhance protection.
### Meeting Takeaways
1. **Attack Technique**: Hackers are increasingly using a concatenation technique to deliver malware via ZIP files, specifically targeting Windows machines. This method allows them to evade detection by security solutions.
2. **Malware Disguising**: The method involves hiding a trojan within a concatenated ZIP archive, which was identified during the analysis of a phishing attack that posed as a shipping notice.
3. **Concatenation Process**:
– Attackers create multiple ZIP archives, embedding malicious content in one and innocuous files in the others.
– These archives are then merged into a single concatenated file.
4. **Vulnerabilities in ZIP Parsers**: Different tools handle concatenated ZIP files in varied ways:
– **7zip**: Only reads the first archive, potentially overlooking the malicious payload.
– **WinRAR**: Displays all structures, exposing hidden files, including the malware.
– **Windows File Explorer**: May fail to open the file or show only the second ZIP structure when renamed.
5. **Research Observations**: Tests carried out by Perception Point demonstrated that while 7zip presented only a harmless file, Windows Explorer revealed the malicious executable.
6. **Defense Recommendations**:
– Use security solutions that support recursive unpacking of ZIP files.
– Treat emails with ZIP attachments as suspicious and implement filtering to block these file types in critical environments.
7. **Source of Findings**: All insights were provided by Perception Point regarding emerging threats in ZIP file exploitation.
These takeaways emphasize the need for heightened awareness and improved security measures against sophisticated attack methods targeting ZIP file handling.