SoylentNews is people
SoylentNews
Submission Preview
Specially Crafted ZIP Files Used to Bypass Secure Email Gateways
████ Bot sub. Needs editing. Et cetera. ████
Submitted via IRC for soylent_aqua
Specially Crafted ZIP Files Used to Bypass Secure Email Gateways [bleepingcomputer.com]
Attackers are always looking for new tricks to distribute malware without them being detected by antivirus scanners and secure email gateways. This was illustrated in a new phishing campaign that utilized a specially crafted ZIP file that was designed to bypass secure email gateways to distribute the NanoCore RAT.
Every ZIP archive contains a special structure that contains the compressed data and information about the compressed files. Each ZIP archive also contains a single "End of Central Directory” (EOCD) record, which is used to indicate the end of the archive structure.
In a new spam campaign discovered by Trustwave, researchers encountered a spam email pretending to be shipping information from an Export Operation Specialist of USCO Logistics.
Attached to this email was a ZIP archive named SHIPPING_MX00034900_PL_INV_pdf.zip that looked suspicious as its file size was greater than its uncompressed content.
"The attachment “SHIPPING_MX00034900_PL_INV_pdf.zip“ makes this message stand out," Trustwave stated in a report [trustwave.com]. "The ZIP file had a file size significantly greater than that of its uncompressed content. Typically, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of bytes."
Email in Trustwave Security Email Gateway (SEG)
When examining the file, the Trustwave researchers discovered that the ZIP archive contained two distinct archive structures, each marked by their own EOCD record.
This is illustrated by the file opened in 010 Editor, which shows two different ZIDENDLOCATOR structures.
Two EOCD records in the archive
As we said previously, a ZIP archive should have only one EOCD record, so this indicated that the ZIP file was specially crafted to contain two archive structures.
The first ZIP structure is for a decoy order.jpg file that is just a harmless image file. The second ZIP structure, though, contained a file named SHIPPING_MX00034900_PL_INV_pdf.exe, which is the NanoCore Remote Access Trojan (RAT).
It was determined that the attackers were creating this specially crafted ZIP archive in order to bypass secure email gateways whose archiving utilities may not properly extract the malware and would only see the harmless decoy image file.
Different file extractors behave differently
When attempting to open the archive using various file extraction programs, Trustwave discovered that the archive was treated differently per file extractor.
For example, the Windows built-in ZIP extractor states that the ZIP file is invalid and won't extract it.
Windows trying to extract ZIP attachment
When BleepingComputer tested with 7-Zip 9.20, it warned us that there was something wrong with the ZIP file, but was able to extract a file.
7-Zip issuing warning while extracting
The file extracted, though, was not the malicious payload, but the harmless order.jpg image file.
Extracted order.jpg file
WinRAR, though, issued no warnings when extracting the ZIP archive and it extracted the SHIPPING_MX00034900_PL_INV_pdf.exe NanoCore file.
WinRAR extracted NanoCore file
Due to the different behavior shown by various unarchiving engines, Trustwave believes that some of those engines may detect the harmless file rather than the malicious payload.
"This sample challenges gateways scanners. Depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the malicious content unnoticed – just like how some of the most popular archiving tools failed to notice the second ZIP structure. "
After testing numerous file extractors, Trustwave determined that only certain versions of the PowerArchiver, WinRar, and older 7-Zip utilities properly extracted the NanoCore executable.
This shows that while this technique may help to bypass email scanners, it also has the side-effect of making it difficult to extract the malicious payload. This would lead to far fewer infected victims than the attacker may have anticipated.
