Go to listing page

New ‘File Archiver In The Browser’ Phishing Kit Masquerades as WinRAR

New ‘File Archiver In The Browser’ Phishing Kit Masquerades as WinRAR
A few months ago, Google released several new TLDs, including .zip, as a valid extension for any website. Since then, several security professionals and agencies have been debating the possible risks associated with this action.

Researcher mr.d0x recently claimed that it is possible to abuse Google’s new .zip Top Level Domains (TLDs) to distribute malware. He prepared a phishing kit called File Archivers in the Browser to lure potential victims by presenting a fake WinRAR or File Explorer window and redirecting them to fake websites hosted by the attackers.

About the new phishing toolkit

The phishing kit allows the attacker to embed a fake window in the web browser of the infected machine, masquerading as WinRAR or Windows File Explorer window, showing a list of archived (.zip) files. 
  • To add a more realistic touch, the fake window includes a button for doing a security scan of the files. 
  • When clicked, it shows a message box, stating that the files have been scanned, and no threats have been detected.
  • In addition, there can be a feature called Extract To, that can be used to drop malicious payloads while simulating that the archived files are getting unzipped and saved on the local machine.

Multiple attack use cases

According to mr.d0x, the phishing kit can be used for multiple threat scenarios, including malware delivery and credential theft. 
  • The fake WinRAR window displays a PDF file (such as Invoice.pdf), which when clicked, redirects the visitors to a phishing page designed to collect login credentials. 
  • Alternatively, clicking on the PDF file (document.pdf) downloads a similar named file having .exe extension (document.pdf.exe). Since the file extensions are often not displayed in the default view, the executable file appears as a harmless PDF file.
  • Another possible attack scenario hides behind the default search behavior on Windows. When any file name (say example.zip) is searched in Windows search, when not found, the search tries to open the searched string in a browser, which ultimately takes the user to the website http://exmaple[.]zip, which may be controlled by attackers.

Ending notes

The phishing kit File Archivers in the Browser is clear evidence that the newly launched TLDs open up new opportunities for phishing attacks. An immediate option is for the network admins to block the .zip and other domains unless these are needed for their business requirements. 
Moreover, spreading awareness about these new TLDs and their possible misuse can help mitigate the risks.
Cyware Publisher

Publisher

Cyware