Medium
Researchers disseminated a Warning to its government customers about a new APT28 (aka Sofacy, Sednit, Fancy Bear, STRONTIUM, etc.) campaign targeting government bodies of NATO members (or countries cooperating with NATO) and dropping Zebrocy malware. At a first look, the sample seems to be a valid JPEG image file.
However, further analysis revealed the sample as having a Zip file concatenated. This technique works because JPEG files are parsed from the beginning of the file and some Zip implementations parse Zip files from the end of the file (since the index is located there) without looking at the signature in the front.
The technique is also used by threat actors to evade AVs, or other filtering systems since they might mistake the file for a JPEG and skip it. Interestingly, in order to trigger the decompression of the file on Windows after the user clicks on it, the following conditions need to be met: a) the file must be correctly named .zip(x); b) the file needs to be opened with WinRAR. The file will show an error message claiming it is corrupted if the targeted victim uses WinZip or the default Windows utility.
After decompressing the appended ZIP file, the two samples are dropped.