[SANS ISC] Phishing ZIP With Malformed Filename, (Sun, Oct 24th)

The output of my zipdump.py tool analyzing diary entry “Reader Malware: ZIP/HTML Phish” ZIP file is a bit strange:

File 2 is spread over 2 lines: that’s because it contains a carriage-return and a line-feed control character:

When I modify my zipdump tool to escape control characters, output looks like this:

I assumed that this malformed filename (filenames are not supposed to contain CR or NL characters) was a technique to mislead the user, e.g., that the user would not see the .html extension, because it was on another line.

But that is not the case. In Windows 10, without any installed archive utility, you don’t even see the HTML file:

And you can view the PNG file (i.png), but not the HTML file:

Wit WinZIP you get a warning:

And the HTML file is not listed:

With WinRAR, you do see the HTML file:

And also with 7-Zip:

Conclusion: depending on your archive utility, you might see the HTML file or not. But when you see the HTML file, you see the complete filename as if the CR and NL characters did not exist.

So the purpose of adding these special characters, is probably not to mislead the user.

I think that these characters are included, to bypass email detection systems that decompress archives to a temporary folder for scanning. Either the de-archiving utility might have issues with the CR and NL characters embedded in the filename, and just skip that file. Then it won’t be scanned.

Or either the scanner might have issues dealing with the CR and NL characters embedded in the filename.

What do you think? Please post a comment with your hypothesis.



Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

Daily NCSC-FI news followup 2021-10-16

CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems thehackernews.com/2021/10/cisa-issues-warning-on-cyber-threats.html The U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities (WWS), highlighting five incidents that occurred between March 2019 and August 2021. Lisäksi: us-cert.cisa.gov/ncas/alerts/aa21-287a Apache is Actively Scan for CVE-2021-41773 & […]

Read More

[HackerNews] New Fileless Malware Uses Windows Registry as Storage to Evade Detection

All posts, HackerNews

A new JavaScript-based remote access Trojan (RAT) propagated via a social engineering campaign has been observed employing sneaky “fileless” techniques as part of its detection-evasion methods to elude discovery and analysis. Dubbed DarkWatchman by researchers from Prevailion’s Adversarial Counterintelligence Team (PACT), the malware uses a resilient domain generation algorithm (DGA) to identify Source: Read More […]

Read More

[ESET] Beware of these 5 common scams you can encounter on Instagram

All posts, ESET feed

From cybercriminal evergreens like phishing to the verification badge scam we look at the most common tactics fraudsters use to trick their victims The post Beware of these 5 common scams you can encounter on Instagram appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More