Double or quits

Cybercrooks behind a malware campaign that aims to give them complete control over Windows devices are hiding their payload in a ‘double-loaded’ ZIP file, new research indicates.

In a technical blog post published last week, researchers from Trustwave dissected a spam campaign purporting to be from the now-defunct USCO Logistics.

While the email included a number of red flags (including mismatched headers, suspicious message body, and suspicious attachment name), it was the attachment itself that raised alarm bells.

“The ZIP file had a file size significantly greater than that of its uncompressed content,” Trustwave’s Diana Lopera explains.

“Typically, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of bytes.”

On closer inspection, Trustwave researchers discovered that the ZIP file had two ‘end of central directory’ (EOCD) elements, which pointed to the existence of two separate ZIP structures.


Read more of the latest malware news from The Daily Swig


It soon became apparent that the first ZIP structure was for a harmless ‘order.jpg’ image file, but the second EOCD was for an executable file.

“The image file… serves as a decoy, an attempt to hide the content of the other ZIP structure,” Lopera said.

“The second ZIP structure contains ‘SHIPPING_MX00034900_PL_INV_pdf.exe’, which is a NanoCore RAT [remote access trojan].”

Double take

Once installed, NanoCore can give an attacker complete control over the target device, including the ability to access the webcam and microphone, view files, log keystrokes, and steal passwords.

Fortunately, in this instance, Trustwave’s analysis of the double-loaded ZIP technique indicates that results are patchy at best, as most archiving tools would fail to register the malicious file:


We used different archiving tools such as PowerArchiver 2019, WinZip, WinRar, 7Zip, and Unzip that is built into the Windows OS in attempting to extract the content of the attachment… Depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the malicious content unnoticed… [S]ome of the most popular archiving tools failed to notice the second ZIP structure.

According to Trustwave, this attack would only succeed if the end user was using certain archive utilities, such as certain versions of PowerArchiver, WinRar, and older 7Zip builds.

In light of these limitations, however, this latest campaign once again serves to demonstrate the lengths attackers are going to in their quest to evade email scanning gateways and push malware onto Windows devices.

“This case does highlight the types of tricks the bad guys are using in an attempt to deliver malware through email,” said Lopera.


RELATED Ancient ZIP bomb attack given new lease of life