KQL Search

Query Details

HomeAI ToolsDevice Query

Innovative Detection Techniques Against ZIP Concatenation Attacks

Query

// Unmasking New Malware Threats: Innovative Detection Techniques Against ZIP Concatenation Attacks
// https://perception-point.io/blog/evasive-concatenated-zip-trojan-targets-windows-users/
// A new malware technique using ZIP file concatenation has been identified, targeting Windows users. Attackers exploit the differences in how various ZIP readers process these concatenated files, allowing them to hide malicious payloads and evade detection by security solutions. This method has been observed in recent phishing attacks, underscoring the need for more advanced detection tools. Credit to Perception Point for uncovering this critical information. (Blog to be shared in the comment section)
// I developed a custom KQL detection to identify such potential abuse by gathering all ZIP file names received from inbound emails and using MDE DeviceFileEvents to check for ZIP file decompression that creates new additional .exe files, which might evade detection at the mail gateway level. Devices can be isolated for further action if required.

let EmailZipFile =
EmailEvents
| where Timestamp > ago(30d)
| join EmailAttachmentInfo on NetworkMessageId
| where EmailDirection == "Inbound" and AttachmentCount == 1
| where FileType == @"rar" or FileType == @"zip"
| where DeliveryAction == "Delivered"
| distinct FileName;
let UncompressTools = dynamic(["7z.exe", "7za.exe", "7zfm.exe", "winzip64.exe", "winrar.exe", "unzip.exe"]);
DeviceFileEvents
| where ActionType == @"FileCreated"
| where InitiatingProcessFileName has_any(UncompressTools)
| where InitiatingProcessCommandLine has_any(EmailZipFile)
| where FileName endswith ".exe"

Explanation

This KQL query is designed to detect a specific type of malware attack that uses ZIP file concatenation to hide malicious payloads. Here's a simplified breakdown of what the query does:

  1. Identify ZIP Files from Emails:

    • The query first looks at email events from the past 30 days to find ZIP or RAR files that were received as attachments in inbound emails. It ensures these files were delivered and not blocked or quarantined.

  2. Track File Decompression:

    • It then monitors device file events to see if any of these ZIP files are being decompressed using common tools like 7-Zip, WinZip, or WinRAR.

  3. Detect Suspicious Activity:

    • The query specifically looks for cases where the decompression of these ZIP files results in the creation of new executable (.exe) files. This is suspicious because it could indicate that the ZIP file contained hidden malware.

  4. Potential Isolation:

    • If such activity is detected, the devices involved can be isolated for further investigation to prevent potential malware execution.

Overall, this query helps in identifying potentially malicious ZIP files that might have bypassed initial email security checks by using advanced detection techniques.

Details

Steven Lim profile picture

Steven Lim

Released: November 17, 2024

Tables

EmailEventsEmailAttachmentInfoDeviceFileEvents

Keywords

EmailEventsEmailAttachmentInfoDeviceFileEventsDevices

Operators

let|wherejoinon==ordistinctdynamichas_anyendswith>ago

Actions