Malware Dropped Through a ZPAQ Archive

by

Malware Dropped Through a ZPAQ Archive

 

Ever seen a ZPAQ archives? This morning, my honeypot captured a phishing attempt which lured the potential victim to open a “ZPAQ” archive. This is not a common file format. This could be used by the attacker to bypass classic security controles. What Wikiepadia says about ZPAQ:

ZPAQ is an open source command line archiver for Windows and Linux. It uses a journaling or append-only format which can be rolled back to an earlier state to retrieve older versions of files and directories. It supports fast incremental update by adding only files whose last-modified date has changed since the previous update. It compresses using deduplication and several algorithms (LZ77, BWT, and context mixing) depending on the data type and the selected compression level. To preserve forward and backward compatibility between versions as the compression algorithm is improved, it stores the decompression algorithm in the archive.

The file was called “Purchase Order pdf.zpaq” (SHA256:1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6[1]). The fact that the archive is using an “exotic” compress algorithm, the VT score is null! I tried the classic tools on a stock Windows operating systems, including 7Zip and no one was able to decompress the archive. This is a strange because it reduces the number of potential victims! On Windows, you can use PeaZip[2].

Read full article here

Source: SANS: Internet Storm Center