Keypoints
- Adversaries use standard archive formats to hide malware inside compressed files.
- Compressed shellcode can be stored in unconventional locations like the Windows Registry.
- Concatenated ZIPs can bypass some archive parsers and hide embedded payloads.
- Self-extracting archives let attackers run payloads with fewer user actions.
- Password-protected or encrypted archives combine compression with encoding to block inspection.
Description:
- Like a locked and layered shipping crate, compression hides dangerous contents inside ordinary packages so they pass casual inspection until opened.
- Attackers compress files or shellcode to reduce size, bundle multiple components, hide signatures, and bypass scanners or email filters, enabling easier delivery and execution while complicating detection and analysis.
Detection:
- Scan incoming email attachments and gateway transfers for archive file types (ZIP, 7z, RAR, gzip) and flag unexpected archives. Use mail gateway scanning with archive inspection enabled.
- Inspect archive metadata and entropy; high entropy or obfuscated filenames indicate possible packed or encrypted contents. Use file analysis tools like binwalk or 7-Zip in headless mode for metadata extraction.
- Detect self-extracting executables by file signature and correlate with email attachments or downloads. Block or sandbox EXE archives from untrusted sources.
- Unpack archives in a controlled sandbox and run static and dynamic analysis on extracted files. Automate unpacking with sandboxes (Cuckoo, commercial solutions) and AV engines to reveal nested payloads.
- Look for concatenated ZIP markers and multiple central directories; use specialized parsers or forensic tools (zipdump, yara rules) to detect composite archives that standard tools miss.
- Monitor endpoints for creation of archive extraction activity, new executable creation after extraction, and registry writes that may indicate compressed shellcode storage. Correlate file creation events with process parents and user context.
- Treat password-protected or encrypted archives as high risk; block or require manual analyst review. Log occurrences and inspect sender context and delivery vectors to reduce false negatives and manage operational risk.
Tactics:
Defense Evasion
Platforms:
Linux, Windows, macOS
Data Sources:
File: File Creation, File: File Metadata
Relationship Citations:
(Citation: Fortgale StrelaStealer 2023),(Citation: FOX-IT May 2016 Mofang),(Citation: Prevailion DarkWatchman 2021),(Citation: PaloAlto StrelaStealer 2024),(Citation: Kaspersky ToddyCat June 2022),(Citation: Malwarebytes Pony April 2016),(Citation: Malwarebytes Higaisa 2020),(Citation: Microsoft Analyzing Solorigate Dec 2020),(Citation: Trustwave Pillowmint June 2020),(Citation: Qualys Hermetic Wiper March 2022),(Citation: Unit42 Redaman January 2019),(Citation: Symantec Ukraine Wipers February 2022),(Citation: Zscaler Higaisa 2020),(Citation: Proofpoint Leviathan Oct 2017),(Citation: Unit42 Emissary Panda May 2019),(Citation: Nccgroup Emissary Panda May 2018),(Citation: objective-see windtail2 jan 2019),(Citation: Red Canary SocGholish March 2024),(Citation: Trend Micro Iron Tiger April 2021),(Citation: Trend Micro DRBControl February 2020),(Citation: Unit 42 KerrDown February 2019),(Citation: Kaspersky ThreatNeedle Feb 2021),(Citation: Cisco ArcaneDoor 2024),(Citation: ESET Gelsemium June 2021),(Citation: Securelist LuckyMouse June 2018),(Citation: Crowdstrike DriveSlayer February 2022),(Citation: Bitdefender FunnyDream Campaign November 2020),(Citation: ESET RTM Feb 2017),(Citation: Donut Github),(Citation: BitDefender BADHATCH Mar 2021),(Citation: Novetta Winnti April 2015),(Citation: Secureworks Gold Prelude Profile),(Citation: Cisco Operation Layover September 2021),(Citation: FireEye Hancitor),(Citation: Kaspersky ToddyCat Check Logs October 2023),(Citation: Kaspersky MoleRATs April 2019),