Hackers Exploit ZIP File Concatenation to Evade Detection,Hackers Use Excel Files to Deliver Remcos RAT Variant on Windows, iPhones Seized by Cops Are Rebooting, and No One’s Sure Why and Mozilla’s ODIN releases an astonishing analysis of security issues in the large language model
This is Cyber Security Today. I’m your host, Jim Love
Cybercriminals are leveraging a new technique, ZIP file concatenation, to deliver malicious payloads in compressed files without being detected by most security systems. This method was discovered by Perception Point while analyzing a phishing attack disguised as a shipping notice. The attack used a concatenated ZIP file to hide a trojan.
Hackers create multiple ZIP archives, embedding malware in one and leaving the others with benign content. The ZIP files are merged by appending the binary data of one file to the other, creating a single file with multiple ZIP structures.
The exploitation depends on how different ZIP parsers handle concatenated files.
- 7zip only reads the first ZIP file and may issue a warning that can be missed by users.
- WinRAR displays all ZIP contents, exposing the malicious files.
- Windows File Explorer might fail to open the file or only display one of the archives, depending on the file extension.
Hackers adjust their approach based on how each system handles the files, ensuring the malware remains hidden.
As always, organizations should treat ZIP attachments with caution and use filters to block suspicious file types. To further mitigate this threat security solutions need tosupport recursive unpacking to analyze all ZIP structures.
+++
Hackers Use Excel Files to Deliver Remcos RAT Variant on Windows
Cybersecurity researchers at Fortinet’s FortiGuard Labs have uncovered a phishing campaign targeting Microsoft Windows users with a new variant of the Remcos RAT (Remote Access Trojan). This malware allows attackers to remotely control infected systems, gather data, and perform malicious operations such as keylogging and webcam capture.
The attack begins with a phishing email disguised as an order notification, containing a malicious Excel document. Once opened, the document exploits the CVE-2017-0199 vulnerability, which allows remote code execution via Microsoft Office. This vulnerability downloads and runs an HTML Application (HTA) file that delivers the Remcos RAT.
The malware uses multiple techniques to evade detection, including process hollowing, where it injects code into a legitimate process. It also employs advanced anti-debugging techniques, such as monitoring for the presence of debuggers and using custom exception handlers to prevent analysis. Additionally, it modifies the system registry to launch automatically on startup, ensuring persistence.
To protect against this threat, users are advised to avoid suspicious email attachments, keep software updated, and use security tools like antivirus software and Content Disarm and Reconstruction (CDR) services.
+++
iPhones Seized by Cops Are Rebooting, and No One’s Sure Why
Police in Detroit are reporting that iPhones in their custody are mysteriously rebooting, making it more difficult for them to extract digital evidence. The phenomenon, believed to be linked to iOS 18, resets the phones to a less accessible state known as “Before First Unlock” (BFU) after rebooting. In BFU, most user data is locked, and only limited system data can be accessed, hindering forensic investigations.
Documents obtained by 404 Media reveal that law enforcement officials suspect this may be a new security feature in iOS 18. Oddly, the reboots have been observed even in phones isolated from networks, including one stored in a Faraday box. Some speculate that iPhones in proximity might be communicating and triggering these reboots, but the exact cause remains unclear.
Investigators are now warning others to isolate devices to prevent reboots and loss of access. Further testing is needed to determine how these reboots occur and whether they are indeed part of iOS 18’s security protocols.
ODIN Blog Shows OpenAI Structural Issues
On the weekend podcast, we had an interview with Marco Figueroa, the program manager for GenAI in Mozilla’s ODIN project. We discussed how prompt hacking or jailbreaking could be used to get past the guardrails of Large Language Models. We also mentioned a discover that Marco had made while exploring this topic.
We couldn’t release that part of the interview because we didn’t have full clearance from ODIN at that time. Since then, they were kind enough to send us a draft of the blog post under embargo. It should be published in the coming days, but it’s approved for release this Monday.
The post dives into the Debian-based sandbox environment where ChatGPT’s code runs, highlighting its file system and command execution capabilities. Readers of the blog will see how simple prompt injections can not only elicit forbidden responses from the LLM, they can expose internal directory structures and expose file systems.
The post explores the process of uploading, executing, and moving files within ChatGPT’s container, revealing a level of interaction that the writers say, “feels like full access within a sandboxed shell.” Python scripts can be run, files can be listed with ease and even moved and sharing via links with other users.
Potentially, the core instructions and knowledge embedded in ChatGPTs can be revealed through clever prompt engineering.
The writer’s comment that this is a feature, not a bug. OpenAI’s transparency goals allow users to access configuration details, but that raises questions about data sensitivity and privacy that users may not know about.
The reason for our delay in featuring this story, and even then, we are not publishing details. We will wait for the ODIN blog to do that, is that ODIN wanted to ensure that “no vulnerability submission blogs are published without submitting the vulnerability and obtaining clear, written consent from the respective LLM organization, authorizing our researchers to share this information.”
We’ll publish a full link to the information as soon as the blog is up. Check back with the shownotes to this episode at technewsday.com/podcasts
And if you’d like to hear the story of discovering this first hand, we have the redacted part of Marco’s interview added to this episode. Just keep listening after the close for the feature we’re calling “Afterwords”
That’s our show for today.
You can find links to reports and other details in our show notes at technewsday.com. We welcome your comments, tips and the occasional bit of constructive criticism at editorial@technewsday.ca
I’m your host, Jim Love, thanks for listening. Hang on for “Afterwords”