Tricking a user into downloading and opening malware is a common attack technique, and defenders have introduced security scanners to many layers of the ecosystem in an attempt to combat the technique:

• Web hosting providers may scan files served from their infrastructure.
• Network gateways and proxies may scan files in transit from server to client.
• Email web apps may scan files when received as attachments.
• Client download managers scan files as they’re downloaded from the internet.
• Client AV and OS security features scan downloaded files as they’re stored on disk or opened.

With all this scanning in place, attackers have great incentives to try to prevent their malicious code from detection up until the moment that a user is infected.

One technique attackers use to avoid getting blocked is serving the malware inside an archive: for example, using a .zip, .rar, or .7z file. Unfortunately for attackers, defenders long ago caught on to this technique and enhanced scanners to peek inside archives. For example, if you download a .zip file in Chrome or Edge, the browser will decompress the archive file and scan the files within it using SafeBrowsing or SmartScreen. Client AV software will scan inside archives on disk, etc.

Attackers were forced to take another step — encrypting the archive using a password that they share with the user.

Requiring that the end-user type a password to get at the malicious content adds some friction– users might not understand how to do so, or might get suspicious if this isn’t something they’re used to doing. However, the tradeoff is that many of the security scanners (at the web host, gateway, and download manager) will not be able to peek inside the archive¹ to hunt out malicious content. Only security scanners run after the archive’s content is extracted will have the opportunity to block the malware.

This attack works best when the attacker has established some pretext for the file being encrypted; e.g. claiming that it contains private content like financial records, a “free trial” of a paid app, or other types of illegal programs like keygen/cracking software.

This same encryption technique is sometimes used to hide URLs used in phishing attacks: The attacker sends the user a phishing link inside an encrypted PDF or ZIP file, and thereby scanners that would ordinarily block the phishing link are blinded.

What can a security administrator do to combat this threat vector?

First, help your users understand that encrypted archives are inherently more risky than average. Consider blocking or quarantining encrypted archives, or enable prompting the user for the password if your security software supports the option. Ensure that your users exclusively use archive extraction software that correctly propagates the Mark-of-the-Web, so that client security software is able to detect files extracted from archives that originated from untrusted sources.

Stay safe out there!

-Eric

¹ In rare cases, a security program might be able to decrypt the archive (if it uses an extremely common password, or if it’s configured to detect the password in an email message or download page) but this is, to the best of my knowledge, extremely uncommon.

Impatient optimist. Dad. Author/speaker. Created Fiddler & SlickRun. PM @ Microsoft 2001-2012, and 2018-, working on Office, IE, and Edge. Now a GPM for Microsoft Defender. My words are my own, I do not speak for any other entity. View more posts