It has not been long since Google first introduced .zip domain websites and since then we have observed many attackers abusing it for malware distribution. The attacker mainly tricks the user into believing that they are opening a legitimate file archive; rather they are unaware of downloading malware onto their device.
Researchers outlined that attackers can register a new domain like “setup.zip”. This domain appears to be an archive for an installer file. Once they have the domain, they proceed to create a website that closely resembles the look and feel of WinRAR. They make sure to include the file path, icons, and other elements to make everything look legitimate. To further deceive the victim, the attackers may also generate a fake antivirus scan popup, informing them that the files within the archive have been scanned and no threats have been detected.
A Website, or an archive? Abusing the Phishing Toolkit
According to research, this phishing toolkit has the potential for both stealing user credentials and delivering malware. Let us take a deep look into it.
Imagine you're using a fake WinRar window, and you click on a PDF file within it. Instead of opening the PDF, you might be redirected to another page that asks for your login credentials under the pretense of needing them to properly view the file. This is one way the toolkit can be used to steal your credentials. Another method involves displaying a PDF file in the fake archive window, but when you click on it, a different file with a similar name, but ending in .exe, is downloaded.
For example, you may see a file named "document.pdf," but your browser downloads a file called "document.pdf.exe." The tricky part is that Windows usually doesn't show file extensions by default, so you'll only see a PDF file in your downloads folder. You might unknowingly double-click on it, thinking it's harmless, but it's actually an executable file that can run malware on your computer.
Now, here is where it gets interesting. When you search for a file in Windows and it's not found, the operating system tries to open the searched-for term as a website in your browser. If the term matches a legitimate domain, the website will open; otherwise, you'll see search results from Bing. This means that if someone registers a zip domain that matches a common file name, and another person performs a search for that file in Windows, the operating system will automatically open the website in the browser. And if that website happens to host the 'File Archivers in the Browser' phishing kit, it can trick you into thinking that WinRar is displaying a genuine ZIP archive.
This technique demonstrates how malicious actors can misuse ZIP domains to create sophisticated phishing attacks, deliver malware, and steal your credentials. You should look out for your safety online and be vigilant when browsing and coming across a “.zip domain”.
For more blogs like this, please visit us at https://blog.excellimatrix.com/
Feel Free to connect with us on LinkedIn and Facebook. You can also contact us at 406-646-2102 or email us at sales@ExcelliMatrix.com.
