Feature

Hackers Use New ZIP File Trick to Hide Malware from Antivirus Programs

Cybersecurity experts have uncovered a new method hackers are using to evade antivirus software, embedding malware in complex ZIP file structures that are difficult for both users and software to detect. The attack, known as “ZIP file concatenation,” involves embedding multiple ZIP archives into a single file, with malware concealed in one of the inner layers. This advanced technique makes it challenging for antivirus programs to spot the malware, often leaving users exposed to attacks without their knowledge.

How ZIP File Concatenation Works

Typically, ZIP files include a central directory that maps out where each file in the archive is located. In concatenated ZIP files, however, multiple central directories are layered within a single archive. The result is a ZIP file that behaves differently depending on which software is used to open it.

For example, popular archiving programs handle these files in ways that directly impact security:

  • 7zip: This software only reads the first central directory, meaning if the malware is stored in a later layer, 7zip users won’t see it. They’ll only see harmless files in the primary directory, creating a false sense of security.
  • WinRAR: Unlike 7zip, WinRAR will detect the second central directory, potentially revealing the hidden malware.
  • Windows File Explorer: By default, it cannot open concatenated ZIP files. However, renaming the file to a .RAR extension allows it to read the second central directory, where malware might be lurking.

The security company Perception Point, which first reported this attack (with additional details from BleepingComputer), highlights how these differences affect detection rates. This sophisticated approach is a serious challenge for antivirus software, which may only analyze the first directory in concatenated ZIP files, effectively overlooking any malicious code buried in later layers.

Who is at Risk?

This technique is most effective in phishing scams, where attackers deliver the ZIP files via email, hoping recipients will open them without suspicion. Tech-savvy users may be less likely to fall victim, as they might recognize the subtle warning message shown in some extraction windows, such as “There are some data after the end of the payload data.” This message signals that the archive contains additional content beyond what was unpacked, but without explicit training, many users may overlook it.

While these tactics aim at tech-savvy users, attackers primarily target less experienced users, who may rely on default Windows programs or simple archiving tools. Once the malware is extracted and launched, it often connects to the internet to download additional malicious payloads, ranging from ransomware to banking trojans.

A Familiar Exploitation of Software Features

This isn’t the first time hackers have exploited nuances in software to evade detection. In the past, cybersecurity researchers discovered a technique called the “ZIP bomb” — a compressed file that expands exponentially when opened. For instance, a single 46MB file could explode into 4.5 petabytes, enough to crash most systems attempting to extract it.

The ZIP bomb and ZIP file concatenation tactics underscore that while antivirus software is crucial, it’s not infallible. Hackers continuously seek out quirks in software that they can weaponize, and the only real safeguard is a combination of software and user vigilance.

Staying Safe Against ZIP-Based Malware Attacks

For users and organizations, protecting against this type of malware attack requires heightened caution and awareness:

  1. Avoid Opening Unknown ZIP Files: Unless you’re expecting a file, be cautious about opening ZIP archives, especially if they come from unfamiliar senders. Phishing emails are common delivery methods for these attacks.
  2. Look for Warnings: Be mindful of any unusual messages in extraction windows. If you see warnings indicating unexpected data, it’s best to delete the file and avoid further action.
  3. Regular Software Updates: Ensure your antivirus and file archiving programs are regularly updated, as developers may add patches to better detect concatenated archives.
  4. Educate Team Members: Especially in workplaces, training employees to recognize suspicious files and phishing attempts can significantly reduce risk.

While tools like antivirus software provide a layer of defense, awareness and cautious behavior are vital to maintaining digital security. As hackers continue to adapt and refine their methods, understanding how they exploit software can empower users to stay one step ahead.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *