Keeping your AV enabled and not extracting the ZIP
Public Service Announcement
This is something I wanted to write a post about as it seems to still be getting lots of hits and fooling lots of people. I will wright the TLDR here so you can get the message now and read further if you want to learn more.
If ANY program EVER tells you to disable your Anti-Malware solution PROCEED WITH EXTREAM CAUTION. If you are ever provided with a password protected archive again PROCEED WITH EXTREAM CAUTION.
Now that the TLDR is out of the way let me explain.
There have been many campaigns that have been involving something in common, using a password protected zip file hosted with a page that contains both the password AND instructions to disable your Anti-Malware solution. The ZIP file then contains infected files usually Redline or alike however if the person follows the instructions as provided they would have disabled their Anti-Malware solution which would now not detect the sample.
This is a common tactic used to distribute malware onto computers usually made out to be something the user would want to download such as a tool or a cracked version of software to get people to download it and follow the instructions to get themselves infected. They are also commonly posted on YouTube as "tutorials" again to make it more believable. If you ever see this, BEFORE you run the file upload it to tools such as VirusTotal and check to see what the results are or think about if it's really trustable. If you get it from a YouTube video look up the link in YouTube's search and see if you find identical videos posted from loads of different channels. If you do this is a sign it might be stealing accounts. If it does come back malicious just report the video and move on.
Another thing, if you are ever given a ZIP file with a password be very suspicious as generally this is used because it is detected by Anti-Malware solutions and encrypting the ZIP file with a password will stop it from being scanned and detected by whatever solution you run. It will also stop any results from showing up if you upload the ZIP to tools such as VirusTotal as the encrypted ZIP file cannot be identified nor extracted due to the unknown password which would be given to you but not whatever tool is trying to scan it.
Here is a real example I found while looking into this.
As you can see here (I removed the name of the sample), it wants you to download a password protected ZIP file from the link above with the password below. Then gives you instructions to both disable your VPN (so they can get your IP) and to disable any protection you may have installed so when you extract the ZIP nothing is going to alert you or stop you from running the Redline malware contained in the executable (which will end up stealing your accounts and reposting itself on them to try and infect more people).
Protect yourself, if you ever are given a password protected ZIP file and/or given instructions to impair or disable your protection software, walk away. It is most likely trying to give you malware.
Comments