Hackers Use ZIP Concatenation to Evade Detection on Windows Systems

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. New AndroxGh0st-Mozi Botnet Collaboration Targets IoT Devices and Cloud Services

The AndroxGh0st malware is expanding its operations by exploiting vulnerabilities in widely used internet-facing applications, targeting frameworks like Laravel, PHPUnit, and Apache. This malware has integrated with the Mozi botnet, known for infecting IoT devices and performing DDoS attacks. Together, they amplify their reach into IoT ecosystems while leveraging Mozi’s infrastructure for persistent access and streamlined propagation. Exploited vulnerabilities include CVE-2017-9841, CVE-2018-15133, and CVE-2021-41773, enabling remote code execution, credential theft, and directory traversal. Cybersecurity researchers emphasize regular patching of these applications, isolating IoT devices through strict network segmentation, and using robust credential management practices like enforcing strong passwords and multi-factor authentication. Organizations should deploy detection systems to monitor for Indicators of Compromise (IoCs), including unauthorized file modifications and abnormal connections to known command-and-control servers. By implementing application hardening measures such as restricting access to sensitive files and deploying web application firewalls, businesses can mitigate the risks posed by these evolving threats.

2. Hackers Use ZIP Concatenation to Evade Detection on Windows Systems

Hackers are leveraging a novel technique involving concatenated ZIP files to deliver trojans and evade security detection. This approach exploits inconsistencies in ZIP parsers, combining multiple ZIP files into a single archive. Depending on the tool used, such as 7-Zip, WinRAR, or Windows File Explorer, users may see only benign content or the embedded malware, complicating detection. Discovered during a phishing attack disguised as a fake shipping notice, the technique embeds AutoIt scripts for malicious automation, exploiting parser differences to bypass traditional defenses.

To combat this, organizations should deploy security solutions capable of recursively unpacking concatenated archives to uncover hidden threats. Email filtering systems should flag suspicious ZIP files, while employee training on recognizing phishing attempts is essential. Users are advised to avoid opening ZIP files from unknown sources and monitor for unusual file extractions or unexpected script executions. These measures can mitigate the risks of this advanced malware delivery method.

3. Ymir Ransomware New In-Memory Variant Targets RustyStealer-Compromised Systems

The Ymir ransomware is a sophisticated in-memory ransomware variant targeting systems compromised by the RustyStealer malware. It utilizes the ChaCha20 cipher for file encryption and operates entirely from memory, evading traditional detection methods. Following RustyStealer infections, which exploit compromised credentials and lateral movement, attackers deploy Ymir ransomware with high privileges across networks, highlighting a growing trend of infostealers enabling ransomware attacks. Ymir performs reconnaissance, avoids sandbox analysis, and leaves ransom notes titled “INCIDENT_REPORT.pdf” in encrypted folders. It modifies Windows Registry entries to display extortion messages upon login and deletes its executable using PowerShell to hinder forensic analysis.

Organizations should implement robust network segmentation, regularly review and secure credentials, and restrict access to tools like PowerShell and Advanced IP Scanner. Advanced endpoint monitoring can flag unusual in-memory activity and lateral movement attempts. File and registry integrity monitoring, coupled with user training to detect phishing threats, is essential to mitigate the risks posed by this evolving ransomware threat.

4. CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild

A newly patched NTLM vulnerability (CVE-2024-43451) has been exploited as a zero-day by a suspected Russia-linked actor to target Ukraine, enabling NTLM hash theft for Pass-the-Hash attacks. The vulnerability, with a CVSS score of 6.5, allows attackers to steal NTLMv2 hashes via minimal interactions with malicious URL files, such as a click or right-click, without opening the file. The attack chain, linked to threat actor UAC-0194, began with phishing emails sent from a compromised Ukrainian government server, delivering ZIP files containing malicious .URL files. Upon interaction, these files connected to a remote server to download malware, including Spark RAT, which enabled control over infected systems and NTLM hash exfiltration.

To mitigate risks, ensure systems are updated with Microsoft’s patches and avoid interacting with untrusted URL files. Monitor network traffic for suspicious SMB activity and NTLM hash transmission. These measures can help defend against this advanced phishing-based attack chain.

5. CVE-2024-10979: PostgreSQL Vulnerability Enables Environment Variable Exploitation

A critical vulnerability (CVE-2024-10979) in PostgreSQL allows unprivileged users to alter environment variables, posing risks of arbitrary code execution and sensitive data disclosure. With a CVSS score of 8.8, the flaw, discovered in the PL/Perl extension, permits attackers to manipulate process environment variables like PATH, enabling malicious queries without direct OS access. This vulnerability affects PostgreSQL versions 12 to 17 and stems from improper control of environment variables used for configuration during startup. Exploitation could lead to severe system compromise or data exfiltration.

To mitigate, users should immediately update to patched PostgreSQL versions 12.21, 13.17, 14.14, 15.9, 16.5, or 17.1. Limit the use of PL/Perl and other extensions by restricting CREATE EXTENSION and CREATE FUNCTION permissions to trusted roles. Apply the principle of least privilege, monitor database configurations and logs for unauthorized activity, and disable unused extensions to reduce exposure to potential exploits.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories