Cybercriminals are utilizing a sophisticated evasion strategy called ZIP file concatenation to specifically target Windows users. This method combines several ZIP files into a single archive, making it harder for security software to detect malicious content.
As a result, unsuspecting users may inadvertently download harmful files while believing they are accessing safe, compressed data.
This tactic allows attackers to bypass traditional security measures and deliver malware undetected, posing significant risks to individuals and organizations alike.
By exploiting how different ZIP readers process concatenated files, threat actors can embed malicious payloads in archives that evade detection by many standard security tools.
ZIP File Concatenation Technique
ZIP file concatenation involves appending multiple ZIP archives into a single file. While this combined file appears as one archive, it actually contains multiple central directories, each pointing to different sets of files.
According to Perception Point, the key to this technique lies in how various ZIP readers interpret the concatenated structure. Some readers may only display the contents of one archive while ignoring the others, allowing hidden malicious files to go unnoticed.
For example, if two ZIP files are concatenated—one containing benign content and the other harboring malware—certain tools will only show the harmless files. This discrepancy in handling allows attackers to hide their payloads from detection tools that rely on specific ZIP readers.
Popular ZIP readers like 7zip, WinRAR, and Windows File Explorer handle concatenated ZIP files differently:
- 7zip: When opening a concatenated ZIP file with 7zip, only the contents of the first archive are displayed. While 7zip may issue a warning about extra data after the end of the archive, this is often overlooked by users.
- WinRAR: Unlike 7zip, WinRAR reads the second central directory and reveals all contents, including any hidden malicious files. This makes it more effective at detecting threats embedded within concatenated archives.
- Windows File Explorer: Windows’ built-in archive handler struggles with concatenated ZIPs. In some cases, it may fail to open the file altogether or only display part of the archive’s content. This inconsistency makes it unreliable for detecting hidden threats.
A recent attack highlights how threat actors leverage this technique to deliver malware. In this case, a phishing email disguised as a shipping notification was sent to victims, reads the report.
The email contained an attachment named “SHIPPING_INV_PL_BL_pdf.rar,” which appeared to be a RAR file but was actually a concatenated ZIP archive.
When opened with 7zip, the file revealed only a benign-looking PDF document. However, when opened with WinRAR or Windows File Explorer, the hidden malicious executable “SHIPPING_INV_PL_BL_pdf.exe” was exposed.
This executable was identified as a variant of Trojan malware designed to automate malicious tasks such as downloading additional payloads or executing ransomware.
The success of this evasion technique lies in its ability to exploit differences in how various tools process ZIP files. Many security solutions rely on common ZIP handlers like 7zip or native OS tools to scan archives for malicious content.
Since these tools may not fully parse concatenated archives, they can miss hidden threats entirely.
Hackers are increasingly using this method because it allows them to target specific users who rely on certain tools while evading detection by others. For instance, Windows users who depend on built-in tools or 7zip may be at higher risk of falling victim to such attacks
Try Malware and Phishing Analysis in ANY.RUN’s Linux Sandbox for Free