Rewterz Threat Alert – Threat Actors Weaponizing .ZIP Domains To Trick Victims

Severity

High

Analysis Summary

Recently, researchers discovered an advanced phishing method called “file archiver in the browser” that exploits .ZIP domains to deceive unsuspecting individuals. This technique impersonate a file archiver software within a web browser when someone visits a website with a .ZIP domain.

The attackers create a fraudulent webpage that closely resembles legitimate file archiving software, utilizing HTML and CSS to imitate the interface and design elements. By hosting this deceptive page on a .ZIP domain, they aim to enhance the credibility of their social engineering campaigns.

In a typical attack scenario, victims are tricked into clicking on a file “contained” within the counterfeit ZIP archive. This action can lead to various outcomes, including redirecting users to a page where their credentials are harvested or initiating the download of a disguised executable file. For example, a user expecting to download an “invoice.pdf” file might unwittingly download a malicious .exe file.

Additionally, the attackers exploit the search functionality in the Windows File Explorer to further deceive users. If someone searches for a nonexistent ‘.ZIP’ file and the file name matches a genuine .ZIP domain the web browser will automatically opens the corresponding webpage. This manipulation capitalizes on users’ anticipation of encountering ZIP files during searches, thereby fostering trust in the fraudulent page.

The introduction of new top-level domains (TLDs) by Google, such as “.ZIP” and “.MOV,” has raised concerns about potential confusion between domain names and file names. Attackers exploit these TLDs, which resemble legitimate file extensions, to deceive users into visiting malicious websites instead of opening files, thereby exposing them to the risk of downloading malware or falling victim to other malicious activities.

This technique is particularly alarming as ZIP files are commonly used in the initial stages of cyber attacks. Attackers can leverage ZIP-related URLs to download malware, taking advantage of the introduction of the .ZIP TLD.

Researchers discovered the increasing sophistication of phishing attacks, with cybercriminals employing advanced techniques to evade detection. The use of encryption, such as encrypted .rpmsg messages, allows attackers to conceal phishing content and URL links from email scanning gateways. Additionally, attackers exploit legitimate features in platforms like Microsoft Teams to facilitate phishing and malware delivery, such as manipulating meeting invites and substituting benign links with malicious ones using API calls.

These evolving phishing schemes emphasize the importance of remaining vigilant, implementing robust security measures, and staying informed about phishing techniques to safeguard against such threats.

Impact

• Credential Theft
• Identity Theft
• Sensitive Information Theft

Remediation

• Conduct regular security awareness training to educate users about phishing techniques and encourage them to exercise caution when interacting with suspicious emails and websites.
• Maintain a list of known malicious domains, including .ZIP domains, and block access to them using reputation-based security services.
• Deploy advanced email filtering and anti-phishing solutions to detect and block phishing emails before they reach users’ inboxes.
• Configure web browsers to warn users about potentially malicious websites and prevent automatic opening of certain file types.
• Enable 2FA for critical systems and applications to add an extra layer of security.
• Keep operating systems and software up to date with the latest security patches to address vulnerabilities.
• Deploy comprehensive endpoint protection solutions that include anti-malware, anti-phishing, and web filtering capabilities.
• Establish channels for employees to report suspicious activities, facilitating prompt action against potential threats.
• Monitor for suspicious or malicious domain registrations resembling legitimate file extensions or popular brands.