ZIP Archive Evasion: Detecting Malicious Multi-File Payloads

Overview of High-Density Archive Evasion

Threat actors frequently experiment with compression formats to bypass security controls and deliver malware via Phishing campaigns. A recent analysis according to SANS ISC highlights a specific technique involving the creation of ZIP archives containing an excessive number of files—in one instance, over 100,000 entries.

This method does not necessarily rely on the “Zip Bomb” logic of extreme compression ratios meant to crash a system. Instead, it focuses on TTP patterns designed to overwhelm the logic of security scanners. By saturating an archive with thousands of small or empty files, attackers aim to trigger timeout thresholds or exceed the maximum file-count limits of automated analysis engines, allowing the actual malicious payload to remain unexamined.

Technical Analysis of Multi-File ZIP Structures

The identified malicious archive contained 100,001 files. Technical examination using utilities such as zipinfo reveals a repetitive structure where filenames are generated programmatically, such as 16-character hexadecimal strings. While the majority of these files are zero-byte entries or contain junk data, their presence serves a functional purpose in archive-based EDR evasion.

Most security solutions, including email gateways and sandboxes, have finite resources allocated for decompressing and scanning attachments. To prevent denial-of-service conditions on the scanner itself, these tools often have hard-coded limits, such as:

• Maximum decompression depth (e.g., 5 levels).
• Maximum decompressed size (e.g., 200 MB).
• Maximum number of files per archive (e.g., 5,000 files).

When an archive exceeds these limits, the security tool may default to a “fail-open” state, allowing the file through without further inspection, or it may simply stop scanning after the first few thousand files, potentially missing the malicious executable hidden deeper in the archive’s central directory.

How to Detect Malicious ZIP Archives and File-Count Evasion

For a SOC to identify this behavior, monitoring must extend beyond simple file hash matching. Security professionals should focus on the metadata of compressed attachments. Identifying ZIP file scanning evasion techniques requires visibility into the internal structure of the archive before it is fully processed by the endpoint.

One effective method is to use SIEM logging to flag any incoming archive that contains a disproportionately high number of file headers relative to its total size. A ZIP archive with 100,000 files that is only a few megabytes in size is highly anomalous and should be treated as suspicious by default. Tools like 7z or unzip -l can be used in automated scripts to count internal entries and trigger alerts when counts exceed a standard organizational threshold (e.g., 1,000 files).

Defensive Strategies and Mitigation

Successfully mitigating archive-based malware delivery requires a multi-layered approach that addresses both the transport and the endpoint layers. Relying solely on signature-based detection is insufficient when attackers use high-density archives to mask their payloads.

1. Configure Inspection Limits: Ensure that email security gateways are configured to block or quarantine archives that exceed a specific file count. This forces manual review for outliers that would otherwise bypass automated scanning.
2. File Type Blocking: Consider blocking less common archive formats (e.g., .iso, .vhd, .cab) if they are not required for business operations, as these are frequently used alongside high-file-count ZIPs for evasion.
3. Endpoint Monitoring: Since network-layer scanners may be bypassed, the endpoint must be capable of detecting the malicious file once it is extracted. Monitor for processes spawning from common archive utilities that immediately attempt network connections or Privilege Escalation.
4. Heuristic Analysis: Implement heuristics that look for sequential or randomized filenames within archives, which often indicate programmatic generation rather than legitimate user activity.