Unsolicited emails containing attachments in ZIP format are already a headache to handle: now attackers are using a more advanced technique

ZIP file concatenation (that is, the embedding of ZIP archives within ZIP archives) is not new, but in their relentless attempts to evade casual detection, cybercriminals have been improvising on the technique to resist automated detection mechanisms.

In recent reports, cybercriminals have been capitalizing on the different quirks and characteristics of ZIP-compatible unpackers — to hide malicious content within concatenated ZIP archives.

According to Arthur Vaiselbuh, Windows Internals Engineer, Perception Point, 7zip will only display the contents of the first nested archive; WinRAR also displays the contents of a second nested archive. A recent version of the Windows File Explorer struggles with concatenated ZIP files, and may fail to open the main ZIP file altogether, or will display the contents partially under certain unusual steps such as renaming the main ZIP file with a .RAR extension.

By merging two or more ZIP files into one, attackers can hide malicious content in the second file, knowing that the archive-unpacking software used — such as WinRAR, 7Zip or Windows File Explorer (version 23H2) — will only detect and display the first part of the archive, potentially allowing the other malware-laden archive to slip by unnoticed.

Nested archives in emails

This deep nesting of password-protected ZIP archives containing malware can test the limits of various email-scanning and protection tools.

When someone receives an email containing nested (and/or) password-protected ZIP files (and other types of archival formats), the onus may be on the recipient to be cautious when handling the attachments.

It appears that the surest way to defend against malicious attachments containing any type of archived/concatenated attachments is to quarantine the entire email and notifying the recipient to contact IT to receive further guidance, especially if the email(s) are unsolicited communications.

Said Patrick Tiquet, VP (Security and Compliance), Keeper Security: “With ZIP files, use antivirus scans or open them in a secure environment. And, if you see unusual warnings when opening an archive, it’s wise to delete it immediately. Staying vigilant with attachments can be the difference between protecting your device and falling victim to hidden malware.”

Similarly, experts from Fortinet recommend restricting email access to password-protected ZIP files, which have to be quarantined for potential policy violations and red flags. They suggest setting up controls that alert users and admins when potentially suspicious attachments (such as encrypted files), enter an organization’s email system, emphasizing the need for multi-layered email security tools that can filter based on content attributes like the presence of encryption.