Hackers Now Use ZIP File Concatenation to Bypass Detection

Cybercriminals are now leveraging ZIP file concatenation to deliver malware undetected, exploiting the way ZIP parsers process these combined files. This tactic, identified by researchers at Perception Point, was used in a phishing scheme where hackers hid a trojan within a seemingly harmless compressed file attachment.

How ZIP File Concatenation Works

In a typical attack, hackers first create multiple ZIP archives, hiding the malicious content in one while keeping the others benign. They then merge these files, creating a single archive with multiple ZIP structures, each containing separate directories and end markers. Different ZIP handlers interpret these files in varying ways:

  • 7-Zip reads only the first ZIP file and may display a benign file, leaving users unaware of hidden malware.
  • WinRAR displays all ZIP structures, potentially revealing the hidden malware.
  • Windows File Explorer may not open the file at all or show only the second archive if renamed as a .RAR.

Attackers can adjust their strategy depending on how a particular app processes these concatenated files, increasing their chances of success.

Mitigation Strategies

To counteract these attacks, Perception Point suggests security solutions capable of recursive unpacking, which would reveal hidden content within concatenated ZIPs. They also recommend handling emails with ZIP attachments cautiously and implementing filters to block certain file types in high-security environments.

This evolving technique underscores the need for robust cybersecurity practices, especially for organizations managing sensitive data. By understanding how hackers use file concatenation to avoid detection, individuals and businesses can better safeguard against these types of phishing attacks.