Cybersecurity researchers at the CERT Coordination Center (CERT/CC) have issued a warning regarding a newly disclosed evasion technique tracked as VU#976247.
Threat actors are increasingly utilizing malformed ZIP archives to bypass Antivirus (AV) and Endpoint Detection and Response (EDR) scanning engines.
By manipulating the internal headers of these archives, attackers can successfully hide malicious payloads, causing critical security tools to produce false negatives.
How the Evasion Technique Works
Standard ZIP archives contain essential metadata, such as version information, flags, and the specific compression method used to pack the files.
Antivirus engines and EDR solutions typically rely heavily on this declared metadata to understand how to preprocess and inspect the files before scanning them for threats.
If an attacker intentionally modifies the compression method field within the header, the antivirus software struggles to properly decompress the archive.
Consequently, the security tool is completely unable to analyze the actual payload inside the file.
While some security products might flag the modified file as corrupted or broken, they fail to identify and block the underlying malicious code.
For this attack to compromise a system, the hidden payload must still be extracted and executed.
Interestingly, standard extraction tools such as 7-Zip, unzip, bsdtar, and Python’s zipfile generally trust the tampered compression metadata.
When they attempt decompression, they fail and return CRC or “unsupported method” errors, leaving the hidden payload unexposed and unexecuted.
To bypass this hurdle, attackers deploy custom malware loaders. These specialized loaders are programmed to completely ignore the tampered compression method field.
Instead, they directly extract and decompress the embedded malicious data, allowing the attacker to execute their code programmatically while remaining invisible to traditional AV engines.
This evasion tactic allows attackers to successfully deliver malware past endpoint security defenses.
According to CERT, the vulnerability reported by security researcher Christopher Aziz, closely mirrors past archive manipulation techniques, such as CVE-2004-0935.
Currently, networking giant Cisco has been confirmed as affected. Several other major security vendors, including AhnLab, Avast, Bitdefender, and Avira, are currently listed with an “Unknown” status regarding their susceptibility to this specific technique.
Mitigation Strategies
To defend against this evasion tactic, organizations and security vendors must update their archive handling processes:
- Security vendors must stop relying solely on declared archive metadata to determine how to scan and handle file contents.
- Antivirus and EDR scanners should implement aggressive detection modes that validate the compression method fields against the actual characteristics of the content.
- Security tools should be configured to flag metadata inconsistencies and automatically send these files for deeper heuristic inspection.
- Organizations should actively contact their AV and EDR providers to determine if their current software versions are vulnerable to malformed ZIP headers and request mitigation patches.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
