• Crooks can merge multiple ZIP archives into a single file
  • Archiver software rarely reads, or displays, all of the merged archives
  • As a result, crooks can sneak malware onto a device

Hackers are using ZIP file concatenation to bypass security solutions and infect their targets with malware through email messages, experts have warned.

A report from cybersecurity researchers Perception Point outline how they recently observed one such campaign while analyzing a phishing attack.

ZIP file concatenation is a type of attack in which multiple ZIP files are merged into one, in order to trick the archiver programs and antivirus solutions.

Mitigating the problem

As Perception Point explains, the crooks would create two (or more) ZIP archives – one completely benign, maybe holding a clean .PDF file, or something similar, and one carrying the malware. Then, they would append the ZIP files into a single file which, while being shown as one file, contains multiple central directories pointing to different sets of file entries.

Different archivers, such as Winzip, WinRaR, 7zip, and others, handle these types of files differently, allowing crooks to move past cybersecurity solutions and infect the target device. 7zip, for example, only reads the first ZIP archive, which could lead to compromise. It could warn the user about additional data, though. WinRaR reads all ZIP structures and will reveal the malware, while Windows File Explorer only displays the second ZIP archive.

In practice, that would mean the crooks would send out the usual phishing email, “warning” the victim of a pending invoice, or an undelivered parcel. The victim would download and run the attachment, and unknowingly get infected with a trojan, or similar malware.

Perception Point argues that “traditional detection tools” often fail to unpack and fully parse such ZIP files, and suggests its proprietary solution (who woulda thunk?).

“By analyzing every layer recursively, it ensures that no hidden threats are missed, regardless of how deeply they are buried – deeply nested or concealed payloads are revealed for further analysis.”

However, simply being careful with email attachments and not downloading things from unconfirmed sources should keep you secure anyway.


This article first appeared in Tech Radar, written by Sead Fadilpašić on November 12, 2024.