Keypoints
- Adversaries commonly deliver inflated malware via email attachments or malicious download links that unpack into much larger files (examples exceed 100–600+ MB).
- ZIP is the predominant distribution archive; nested containers (ISO, RAR) are used to add layers so scanners that don’t recursively extract miss malicious content.
- Compression effectiveness is exploited by filling payloads with low-entropy/repeating data so archives remain small in transit but expand massively on extraction.
- File inflation techniques include LNK extra-data block stuffing, PE resource-section and overlay padding, and appending data beyond OLE/FAT boundaries in documents.
- Masquerading (e.g., New Document001.pdf.exe) and use of shortcuts/icons are used to induce user execution after extraction/mounting.
- Primary payloads delivered via this technique include remote access tools and loaders such as QUASAR RAT, AGENTTESLA, REMCOS, and ASYNCRAT; some inflated documents tied to EMOTET.
- Trimming resource or overlay data proves the inflated data is nonessential to execution, confirming the technique’s goal is evasion rather than functionality.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Describes delivery via email attachments: ‘Malicious inflated malware is often delivered through email attachments or downloaded via URLs.’
- [T1204.002] User Execution: Malicious File – Social engineering to induce opening of attachments: ‘accompanied by persuasive language to entice recipients into opening the attachment.’
- [T1105] Ingress Tool Transfer – Use of download links to retrieve compressed archives containing the inflated payload: ’email containing a download link that points to a compressed archive that will contain the inflated malware file.’
- [T1027] Obfuscated Files or Information – Use of nested archives, ISO containers, and compression to conceal payloads and evade scanning: ‘the inflated malware remains concealed… only when the user mounts the ISO file that the inflated malware is exposed.’
- [T1036] Masquerading – Files renamed and icon-changed to appear as benign documents (e.g., PDF): ‘masquerading technique where the malware file is pretending to be PDF file by changing its icon and adding pdf extension.’
- [T1140] Deobfuscate/Decode Files or Information – Execution requires extraction/mounting (decompression) to expose payload: ‘Upon decompression, it reveals an ISO file which is another container layer… only when the user mounts the ISO file that the inflated malware is exposed and becomes ready for execution.’
- [T1027] Binary Padding / Obfuscation via Extra Data – Inflating files by adding large unused data in LNK extra-data blocks, PE resources, or overlays to bypass scan limits: ‘the Extra Data Block section has been intentionally filled with trash data’ and ‘appended with more than 1 GB of overlay data.’
Indicators of Compromise
- [File hash] Malware archive examples – EF03E6CCB9B97C898B779381B01402FA, 9E1C78CFFBA238E340E4F8C1F6B2A20B (and 3 more hashes)
- [File hash] Inflated payload examples – 5D863654DD020D744AFF25AE91B251BF, 473AB5076D99785ECBE1F933F0747C1B (and 2 more hashes)
- [File name] Archive / nested-container examples seen in emails – 83B38XM4C_ETRANSFER_RECEIPT.zip → .iso → .exe; document_atqxJ9.zip → New Document001.rar → New Document001.pdf.exe
- [Detection names] Associated detections / named signatures – Backdoor.MSIL.ASYNCRAT.MVX, Backdoor.Win.REMCOS.MVX (and multiple other listed detections)
Threat actors use compact archives and compression with highly redundant data to transport massively inflated payloads that expand locally after extraction or mounting. Common delivery flows include a small ZIP attachment or a download link that provides a nested container (ZIP → ISO → EXE or ZIP → RAR → EXE) where the final payload can be several hundred megabytes; for example, a 1.77 MB ZIP expanding to a 300 MB ISO/EXE, or a ~77 KB ZIP ultimately revealing a 664 MB executable. Attackers intentionally craft low-entropy filler (repeating bytes, blank bitmap scan lines, or repeated overlay bytes) to maximize compression efficiency so archives remain small in transit while evading size-based scanner thresholds.
At the file-format level, multiple inflation techniques preserve program functionality while enlarging file size: LNK shortcuts are padded via Extra Data Block entries to grow to gigabytes without breaking the shell link structure; PE files carry large resource-section bitmap payloads or appended overlay data (not mapped into the PE virtual image) so execution memory footprint remains low; OLE/CFB (document) files contain data appended beyond the FAT-mapped maximum sector range to add hundreds of megabytes of inert data. These inflated sections are nonessential—removing resource directories or trimming overlays restores the original executable behavior—confirming the primary goal is scanner evasion rather than added capability.
Operationally, attackers pair these techniques with masquerading (e.g., .pdf.exe with PDF icon) and social engineering to cause user extraction/mounting, after which the inflated file typically stages or downloads secondary payloads such as QUASAR RAT, AGENTTESLA, REMCOS, and ASYNCRAT; some inflated OLE documents were observed in EMOTET campaigns. Detection and analysis require recursive archive extraction, inspection of extra-data blocks and overlays, and tools that validate CFB/FAT boundaries (e.g., OLEMAP) to reveal appended inert data that may otherwise bypass scanners.
Read more: https://www.trellix.com/blogs/research/supersize-me/