Zip files are a popular method to deliver payloads as they are common extensions, but I think they are not normal in a work environment (Please do correct me if anything). A good reason why this file format is a great delivery method is we can have it password protected and avoid an AV to scan our malware compressed on the zip file since the AV wouldn't have the access necessary to scan the file in the interior, it’s a good method to deliver but we need to still be aware the file will be scanned again once uncompressed and executed by the user this is just a method to avoid some initial detection.

In this demonstration I will use a simple binary built with msfvenom as this tool is well known in security and AV this is a great demonstration of how zip-protected files can bypass Email Security and even AVs for delivery.

Will create the payload then deliver it to prove detection:

Now we deliver it to our target and:

Immediate detection will also get detected if compressed without a password, the password is the way to encrypt and avoid the AV having access to our payload so will move on to compressing the payload onto a protected ZIP file to avoid immediate detection you can use any favorite ZIP compressing tool

PASS: Evasion

Will deliver this new payload and we see we don't immediately get flagged we have options now:

I will save this so it can touch the disk and even prove further that the detection is still evaded

We have successfully delivered our payload to the target machine, usually, only pretexts can have us move further and have the user interact with the file and have them Open the Zip, Save, Uncompressing and still execute.

Last updated