Threat Research

Unpacking the Threats Within: The Hidden Dangers of .zip Domains – Avast Threat Labs

Securonix

Avast Threat Labs examines how the newly popular .zip top-level domain is being abused to mislead users into thinking they are downloading files, with many examples mimicking major brands like Microsoft, Google, and Amazon. The piece also details how attackers use URL obfuscation techniques—such as Unicode slashes and the @ symbol in URLs—to disguise destinations and lure victims, plus practical defense steps. #zipDomains #Microsoft #Google #Amazon #CSGO #GoogleDrive #MicrosoftOneDrive #MicrosoftOffice #GoogleChrome #AmazonS3

Keypoints

  • .zip domains are being exploited to confuse users into treating a URL as a downloadable file rather than a link.
  • Many top-blocked .zip domains imitate well-known brands and services (e.g., Microsoft, Google, Amazon, Google Drive, Google Chrome, OneDrive, CS:GO).
  • Attackers leverage URL obfuscation techniques, including the use of the @ character and Unicode slash variants, to hide the true landing page.
  • WHOIS data redactions and domain-name patterns (e.g., domains with pdf within .zip names) help conceal legitimacy.
  • A prototype email demonstrates how an attachment and a link can point to different locations, highlighting phishing risk.
  • Recommendations emphasize caution with .zip TLDs, monitoring traffic, email filtering for such content, keeping antivirus up to date, and staying informed on emerging threats.

MITRE Techniques

  • [T1566.002] Phishing – Spearphishing Link – Use of deceptive links in emails; “for educational purposes I crafted a prototype email that leverages the fact that the attachment and the link can point to completely different locations.”
  • [T1566.001] Phishing – Spearphishing Attachment – Use of an attachment that may point to a different location than the link; “for educational purposes I crafted a prototype email that leverages the fact that the attachment and the link can point to completely different locations.”
  • [T1036] Masquerading – Domain names mimicking legitimate brands (e.g., microsoft-office.zip, google-drive.zip, amazons3.zip) to mislead users; “The most interesting domains are those that are closely related to large service providers… microsoft-office.zip, google-drive.zip, googlechrome.zip, amazons3.zip.”

Indicators of Compromise

  • [Domain] Domain names using .zip to mimic brands – microsoft-office.zip, google-drive.zip, csgo.zip, amazons3.zip, 42.zip, attachments.zip, download.zip, and other similarly structured domains (e.g., 226×227.pdf.zip, 2023-05.pdf.zip, cv3.pdf.zip, temp1_rsbu_12m2021.pdf.zip)
  • [IP Address] Directs to or references IP-based destinations – 52.144.44.169 (shown as 52.144.44[.]169 in content); internal example 10.0.0.1
  • [URL] Malicious or misleading URL formats used in examples – https://www.steampowered.com/downloads/latest/@csgo[.]zip

Read more: https://decoded.avast.io/matejkrcma/unpacking-the-threats-within-the-hidden-dangers-of-zip-domains/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint