ZIP files are being used to bypass security gateways

(Image credit: Shutterstock)

Security researchers at Trustwave have discovered a new phishing campaign that utilized a specially crafted ZIP file, designed to bypass secure email gateways, to distribute the NanoCore RAT.

Users are targeted through a spam email pretending to be shipping information from an Export Operation Specialist of USCO Logistics. Attached to the email is a ZIP archive that has a file size which is greater than its uncompressed content.

In a new report, Trustwave explained why the size of the ZIP raised suspicions among its researchers, saying:

"The attachment “SHIPPING_MX00034900_PL_INV_pdf.zip“ makes this message stand out. The ZIP file had a file size significantly greater than that of its uncompressed content. Typically, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of bytes."

Suspicious ZIP files

In addition to a special structure that contains the compressed data and information about the compressed files, each ZIP archive also contains a single End of Central Directory (EOCD) record that is used to indicate the end of the archive structure.

However, when Trustwave researchers examined the ZIP file attached to the spam email, they found that the ZIP archive contained two distinct archive structures that both had their own EOCD record. A ZIP archive should have only one EOCD record and this shows that the ZIP file created by the attackers was altered to contain two archive structures.

The first ZIP structure acts as a decoy and contains a harmless image file called order.jpg. The second ZIP structure on the other hand contained an executable file which contained the NanoCore Remote Access Trojan (RAT). Trustwave then determined that the attackers created this specially crafted ZIP archive in an effort to bypass secure email gateways.

When attempting to open the archive using several file extraction programs, the researchers discovered that the archive was treated differently on a program by program basis. While Windows built-in ZIP extractor said the file was invalid and wouldn't extract it, Trustwave discovered that certain versions of PowerArchiver, WinRar and 7-Zip were able to properly extract the NanoCore executable.

The technique used by the attackers could allow them to deliver malicious payloads that are able to bypass email scanners, but due to the way file extraction programs work, less users would be infected than they initially intended.

  • Protect your devices from the latest cyber threats with the best antivirus software

Via Bleeping Computer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
Latest in News
Google Gemini Robotics
Gemini just got physical and you should prepare for a robot revolution
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try
Two Android phones on a green and blue background showing Google Messages
Struggling with slow Google Messages photo transfers? Google says new update will make 'noticeable difference'