Once again, hackers have found a sneaky way of hiding malware most of us would never expect. An attacker sending a phishing email with a malicious Zip file attached isn’t unusual. But this newly discovered Zip file hides multiple Zip files like layers of an onion, and one of those files holds malware. This way, the malware bypasses anti-malware detection—and that’s one key to this attack’s success.
Hide and Seek
Opening the Zip shows a directory of what’s included in the file, but no other directories appear showing the hidden Zip files. As a result, it’s impossible to see or expect there are other Zip files inside, and that’s the other key to this attack’s success. Remember, this layered approach has already bypassed anti-malware security software, so it’s game-on for attackers.
WinRAR, though, issued no warnings when extracting the ZIP archive and it extracted the SHIPPING_MX00034900_PL_INV_pdf.exe NanoCore file.
Unknown to the victim, the added layers of Zip files continue to open until malware is loaded onto the device. Depending on the type of malware it holds, banking trojans, spyware, ransomware, adware, and others, including internet connections to remotely download even more malware, is possible.
A similar style of layered attack was previously used, called the “Zip Bomb” attack. Opening one single Zip file blew up into a 4.5 petabyte folder (1,000 terabytes). That’s equal to an incredible 366 years of 1.4GB HD videos, or 4.5 billion 1MB photos. Just one Zip Bomb attack can crash systems and install all types of malware.
One great antidote for this type of multi-layered Zip attack is remembering any type of file can be malware-filled. As such, make 101% sure you know and trust the email sender and the file they attached is safe before opening it. The same goes for following links in an email since they too can be malicious. So, always keep your email phishing Spidey-Sense set on high because the closer you look, the safer you’ll be.
SUBSCRIBE TO WEEKLY NEWSLETTER
