On March 23, ASEC analysis team has found that abnormal malicious archive files have been distributed via email. The attachment in the e-mail is ZIP extension, but it prompts the user to extract it by a specific decompressor using a message “Use Winrar.”
Distributing archived malware via email is a known method. As shown in the highlighted text (Use Winrar) in Figure 1, this email prompts the user to decompress the file using ‘WinRAR.’ 2 samples distributed that way have been found, and the filenames are as below:
- MV_GLOVIS_B35C_191850_12_02_2020.zip
- Scan_Covid19_2020.zip
This blog will use “Scan_Covid19_2020.zip” file as a sample for further explanation.
If the user uses WinRAR compressor to extract the archive file as the attacker intended, a malicious executable (.exe) is extracted.
However, upon extracting the file with compressors commonly used in Korea such as bandizip or 7-zip (latest) compressor, a normal *.jpg is extracted.
What makes extraction outcomes from identical archive file different? The straight answer to this is that the malicious zip file has an abnormal compression structure which is a combination of two archive files. The normal structure of a ZIP file will be briefly explained to provide an explanation for such an abnormal structure.
ZIP compression structure
The following are the terms that will be used to prevent the readers from being confused by the naming differences between aspects that are expressed with template feature of 010 editor and names of commonly known configurations.
- Record = Local File Header + File Data (Compressed)
- DirEntry = Central Directory
- EndLocator = End of Central Directory Record
Upon creating a normal ZIP file and expressing it in a format of ZIP, files are shown as the Figure 2.
The number of Record and DirEntry is equal to the number of archive files in the normal ZIP archive format, and only one EndLocator exists. Hence, if 3 files are compressed, 3 Records, 3 DirEntries, and 1 EndLocator exist as shown in Figure 2.
When reading an internal file compressed in the form of a ZIP file, most of the compressor refers to ‘EndLocator’ structure first and foremost.
EndLocator is a structure that is on the bottommost part of Figure 3, and it contains info such as elEntriesInDirectory that can be used to figure out the number of compressed files, elDirectoryOffset that points toward the first of DirEntry form with Offset (red arrow), and elDirectorySize that can be used to see the total size of all DirEntries. It then refers to DirEntry and reads Record. As DirEntry contains info of each Record, data compressed in Record can be checked by performing repetition as much as the number of compressed data.
2 Abnormal Aspects
There are two abnormal aspects in the malicious file previously mentioned in this document.
1) The number of EndLocators
As shown in Figure 2, only 1 EndLocator exists in a structure of a normal ZIP archive file.
However, as shown in Figure 5, the sample has 2 EndLocators, and the value of elEntriesInDirectory that represents the number of zipped files is ‘1’ instead of ‘2.’ Therefore, it can be assumed that the attacker archived *.jpg and *.exe each into ZIP files and combined the two.
2) elDirectoryOffset value of EndLocator
Normally, elDirectoryOffset value of ZIP archive file must contain offset of DirEntry. However, the sample contains Record[1] Size(0x7630) of *exe instead of DirEntry[1] offset (0xDC66) (See Figure 6). This is clearly an abnormal value, but it is speculated that this was due to the differences in ‘handling’ of damaged (or abnormal) zip structure between each compressor. That’s why a certain program extracts *.jpg which is the uppermost data, whereas other compressor like WinRAR extracts *.exe. Some compressors recognize the file as a damaged file, which results in creating a normal zip in order to make *.jpg and *.exe files readable.
The method is very simple: it compressed both the normal image and the malicious file, then combined them. It is assumed that this was done to bypass preemptive blocking of anti-malware software and other specific software.
To detect this malware with V3, go to ‘Settings > Scan Settings > Intense Scan > Scan Target’ and check the ‘compressed files.’
To prevent infection by malware such as the one shown in the sample, users must refrain from opening attachment files and links from an unknown source, and update OS security and Anti-Virus program to the latest version.
AhnLab’s V3 products detect the internal files under the following aliases:
- Trojan/Win32.Vbkrypt (2020.03.28.01)
Categories:Malware Information