Malware: Avoid detection with flanged ZIP
IT researchers have discovered malware that escapes detection by virus scanners by concatenating ZIP files.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Windows users who use certain tools to open ZIP files are being targeted by cyber criminals. They send specially prepared ZIP files that are not flagged by virus scanners but can be opened with certain programs.
In this specific case, the IT researchers at PerceptionPoint have discovered linked ZIP archives with malware in them and describe the case in an analysis. A Trojan disguised as a shipping document file attachment was hidden in a chained ZIP. This file attachment to the email is not detected by many anti-malware programs. However, the Windows malware in this manipulated archive could be accessed with WinRAR, for example.
ZIP files attached to each other
Detection by anti-virus software can be circumvented with ZIP files that have simply been copied together: The perpetrators simply attach the second .zip containing the malware to the harmless .zip archive one. Under Windows, for example, the command copy /b Archive-*.zip ConcatenatedArchive.zip would merge the files that are present in the directory as Archive-1.zip and Archive-2.zip.
Videos by heise
The cause of the problem lies in the way different software handles such files. The IT security researchers have tested the concatenated ZIP with several programs: 7zip shows the contents of the first file and a warning that further data is available after the end of the archive. The ZIP tool in Windows Explorer delivers different results. With the file extension .zip, it cannot open the file at all, but if the prepared archive is renamed to .rar, the contents of the second archive with the malware appear. WinRAR, on the other hand, reads the central directory of the second .zip and displays its contents. Such an attack is therefore only promising for users with WinRAR, or with a changed file name for Windows users with Windows on-board tools. The phishing email in the analyzed case contained this concatenated ZIP archive with the file name "SHIPPING_INV_PL_BL_pdf.rar". The malware was thus accessible with Windows' own tools and WinRAR.
Virus scanners usually use ready-made libraries for dealing with archives –, for example, integrated into the sources as free open source. The 7zip unpacker, for example, is freely available for this purpose, but cannot correctly disassemble the manipulated archives, which means that the scan for malware is only possible to a limited extent (on the first archive).
Attempts to circumvent the detection of malware by deliberately destroying or slightly damaging files are part of the standard repertoire of cyber criminals. The various parsers do not function identically to those used in the operating system and therefore deliver different results. In February, for example, it became known that malware launched via rundll32.exe was not detected in Microsoft Defender if the call was extended by a so-called path traversal. Microsoft initially corrected this, but the vulnerability could be exploited again by adding an additional, otherwise useless comma to the call.
(dmk)
