Hackers have recently employed a sophisticated evasion strategy known as ZIP file concatenation to target Windows users, allowing them to sneak malicious payloads past traditional security software. This technique works by combining multiple ZIP archives into one file. While the resulting concatenated file appears as a single archive, it actually contains several central directories, each pointing to different sets of files. The key vulnerability here is how different ZIP readers interpret concatenated files, allowing attackers to hide malicious content in a way that goes undetected by many standard security tools.
One of the most significant challenges with ZIP file concatenation is the inconsistency in how popular ZIP readers handle these files. For example, when opened with 7zip, only the contents of the first archive are visible, potentially hiding malicious payloads in subsequent directories. Although WinRAR reveals the entire content, including hidden files, this discrepancy is often overlooked by users and makes some ZIP tools more effective in detecting hidden threats. Windows File Explorer, on the other hand, may fail to open concatenated archives altogether, leaving users vulnerable to the undisclosed threats contained within.
This technique has been leveraged in recent phishing campaigns where cybercriminals disguise their attacks as legitimate file downloads. For instance, an email pretending to be a shipping notification contained an attachment named “SHIPPING_INV_PL_BL_pdf.rar,” which appeared to be a harmless RAR file. However, the attachment was a concatenated ZIP archive, and when opened with 7zip, it only revealed a benign PDF. But when opened with WinRAR or Windows File Explorer, the file exposed a malicious executable, “SHIPPING_INV_PL_BL_pdf.exe,” which was identified as a variant of Trojan malware. This executable was designed to download additional malicious payloads or execute ransomware once activated.
The success of the ZIP file concatenation technique lies in its ability to exploit differences in how ZIP readers interpret and process files. Many security solutions rely on common ZIP tools like 7zip or the built-in Windows File Explorer, which may fail to fully scan concatenated archives for hidden threats. By targeting users who rely on these specific tools, hackers can evade detection, making this technique an increasingly favored method of attack. To combat this growing threat, security solutions need to adapt to better handle concatenated ZIP files, ensuring that hidden malware does not slip through the cracks.