Ethical Hacking News
A new 'Zombie ZIP' technique has been discovered that allows malware to bypass even the most advanced security solutions by manipulating ZIP headers. This innovative approach uses compressed files to conceal malicious payloads and evade detection, making it essential for users to be aware of this threat and take necessary precautions.
The "Zombie ZIP" technique allows malware to bypass even the most advanced security solutions by leveraging compressed files in ZIP format. The technique manipulates ZIP headers to trick parsing engines into treating compressed data as uncompressed. The attackers exploit a vulnerability in how some security tools trust the ZIP Method field and scan the data as raw uncompressed bytes when it's set to 0 (STORED). The CERT Coordination Center has published a bulletin warning about the "Zombie ZIP" technique and its risks. Security tool vendors must validate compression method fields against actual data and implement mechanisms to detect inconsistencies in archive structure. Users should exercise caution when dealing with archive files from unknown sources and delete them immediately if their attempts to decompress them result in an "unsupported method" error.
In a concerning development that highlights the evolving nature of cyber threats, a new technique dubbed "Zombie ZIP" has emerged, allowing malware to bypass even the most advanced security solutions. This innovative approach leverages the use of compressed files, specifically in ZIP format, to conceal malicious payloads and evade detection by security tools.
At the heart of this technique lies a manipulation of ZIP headers, which are designed to provide metadata about the contents of an archive file. By altering these headers, attackers can trick parsing engines into treating compressed data as uncompressed, thereby avoiding flagging or scanning by security solutions such as antivirus software and endpoint detection and response (EDR) products.
The "Zombie ZIP" technique was devised by Chris Aziz, a security researcher at Bombadil Systems, who discovered that it works against 50 out of 51 AV engines on VirusTotal. According to Aziz, this is due to the way security tools trust the ZIP Method field and scan the data as raw uncompressed bytes when it's set to 0 (STORED). However, in reality, the data is DEFLATE compressed, which makes it appear as "compressed noise" to scanners.
To exploit this vulnerability, threat actors can create a loader that ignores the header and treats the archive for what it is – data compressed using the standard Deflate algorithm used in modern ZIP files. By setting the CRC value of the archive to the uncompressed payload's checksum, attackers can cause popular extraction tools like 7-Zip, WinRAR, or unzip to generate an error. However, a purpose-built loader that ignores the declared method and decompresses as DEFLATE recovers the payload perfectly.
The CERT Coordination Center (CERT/CC) has published a bulletin warning about the "Zombie ZIP" technique and raising awareness of the risks posed by malformed archive files. While a malformed header may trick security solutions, some extraction tools are still able to correctly decompress the ZIP archive.
To mitigate this threat, security tool vendors must validate compression method fields against actual data, add mechanisms to detect inconsistencies in archive structure, and implement more aggressive archive inspection modes. Users should also exercise caution when dealing with archive files from unknown sources and delete them immediately if their attempts to decompress them result in an "unsupported method" error.
The emergence of the "Zombie ZIP" technique serves as a stark reminder of the ongoing cat-and-mouse game between security researchers and malicious actors. As threat actors continue to evolve their tactics, it is essential for security professionals and end-users alike to stay vigilant and adapt their defenses accordingly.
In conclusion, the "Zombie ZIP" technique represents a significant challenge to security tools and highlights the need for continuous innovation in security research. By understanding this new technique and implementing appropriate countermeasures, we can reduce the risk of falling victim to these advanced threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Zombie-ZIP-Technique-Allows-Malware-to-Evade-Security-Tools-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-zombie-zip-technique-lets-malware-slip-past-security-tools/
https://cybersecuritynews.com/malformed-zip-files-bypass-antivirus-and-edr-detections/
Published: Tue Mar 10 15:52:21 2026 by llama3.2 3B Q4_K_M
