Recently, it was detected by the cybersecurity community that ZIP files were being used to bypass secure email gateways and infect victims with malware discreetly located in such containers. The phishing campaign in question had the goal to distribute the NanoCore RAT malware, a well-known remote access tool that has been used by cybercriminals for years now.

In this particular case, it was Trustwave the company that discovered the widespread attack and took the time to illustrate it for the community.

At My IT Guy, we want to be part of the distribution of such information as it does an outstanding job in making both cybersecurity professionals and business owners aware of the threats out there.

The File

The ZIP file discovered and studied by Trustwave was named SHIPPING_MX00034900_PL_INV_pdf.zip and it was sent from an Export Operation Specialist to USCO Logistics over email.

As mentioned before, this ZIP file successfully bypassed the secure email gateways implemented by USCO Logistics and no warnings were issued regarding this email message.

The first red flag regarding this ZIP file was its size, which was larger in comparison with the uncompressed files it supposedly contained. Normally, when we create a ZIP file and include a group of files in this container, the total size of the final ZIP must be smaller than the whole group itself as the documents go through a compression process that saves space.

The Format

The second red flag regarding the suspicious ZIP file was that, after observation with the 010 Editor, it showed two different ZIDENDLOCATOR structures. 

When a ZIP file is created, it includes an EOCD record (End of Central Directory) that has the purpose to indicate the end of the archive structure. There are no reasons for a ZIP archive to have more than one record. However, the discovered file had two structures.

The first structure included a decoy file, which was a .jpg image that was identified by secure email gateways as harmless, letting the ZIP file to proceed. However, it was the second structure, the one that as hidden, that contained the malware.

The Extractors

Finally, it’s worth mention the role of compressed file extractor software during the tests. At Trustwave, they used the Windows built-in ZIP extractor, 7-Zip, and WinRAR in order to know which software was able to detect that something was wrong with the file.

WinRAR decompressed the file without issuing any warnings, which is bad enough. The Windows built-in solution issued an error saying that the ZIP file was invalid and it wasn’t possible to extract the files in it, which is great. Finally, 7-Zip reported a warning during the extraction process, saying “There are some data after the end of the payload data”. Yet, files were successfully extracted just like with WinRAR.

The Bottom Line

Using ZIP files as a device to bypass supposedly secure email gateways is a clear problem for businesses that constantly handle archives via email and believe that these cybersecurity methods are more than enough to be fully protected. This type of file is used every day to transfer all kinds of documents, making virtually impossible its ban from corporate communication.

This situation must be valuable enough for companies to understand that malware is being successfully distributed through ZIP files despite the correct implementation of secure gateways. Automated scans aren’t enough to stop this threat and it’s very clear the role of every single professional that sends and receives ZIP files through email. It’s their duty to think twice before decompressing a file, considering carefully if there is a chance of being the victim of a phishing campaign.