ZIP files, make it bigger to avoid EDR detection

Our Purple Team analysts have spotted a number of anomalies concerning zip files. ZIP is originally a file format for archiving and compressing data without loss of quality. These files attracted our attention because they were abnormally large compared to the size of the zip archive, suggesting the presence of malware, for example.

In this example, the zip file is 2.5 MB in size, and the unzipped malware is 2.1 GB. After some research on VT (virus total) and other tools, we decided to investigate further.

This article reports on what we found.
Le Lab Gatewatcher D

ZIP and its usefulness


Before any advanced analysis of this file and its contents, we find out about the associated compression rates. For a PE file, the maximum compression ratio is around 50%. In other words, if we have a 1GB executable file and we compress it, we should end up with a zip file of around 500MB.

Following this rule of proportionality, our file should be around 1GB, which is absolutely not the case. Starting with a 2.1GB file and arriving at a 2.5MB zip archive, we obtain a compression ratio of 99%.

It appears that from this address, a padding of 0 is applied to the end of the file. Once this padding has been identified, it can be removed, giving us a functional PE file of around 1 MB. The latter, after compression into a Zip file, is around 500KB, thus verifying for this file the proportionality mentioned earlier.

So, we’ve identified why the compression ratio was so high, but why would we need to artificially obtain such a high compression ratio?

The answer lies in the detection systems and their parameters.

As the PE file in the zip is most likely malicious, this technique would allow it to slip through the net of most EDRs. As EDRs have a default “limit”, files larger than 1GB, or even 2GB in some cases, are not analyzed. This technique is not new, but it is resurfacing with the rise of EDRs, which are just one of the many layers in a company’s attack detection and incident response system.

Identity and main characteristics of the file


Once the file had been extracted and sent to various sandboxes, we were able to get a more precise idea of the PE file and what it was doing.

Thanks to our research, we can now say that we’re dealing with an Asyncrat agent, a RAT (Remote Access Trojan) that can take control of a remote workstation via an encrypted connection and perform all kinds of malicious actions.

Following our research and the various reports we were able to find on the subject, we identified the attacker’s command server.

In order to find out more about the infrastructure, we set out to find out a little more about the server in question. When looking for information on 45.81.243.217, we find a number of open ports and certificates. Let’s take a look at the certificate with CN (Common Name) Asyncrat. This information allows us to conclude that Asyncrat embeds certificates by default.

There are over 47,300 servers worldwide with the same certificate. As these servers use an Asyncrat certificate by default, it is more than likely that they are deployed by inexperienced attackers, or pentest teams, with a default configuration. This makes them particularly recognizable.

ZIP and padding, or how to avoid detection techniques ?


During our investigations, we were able to report the use of a detection evasion technique, padding, to artificially increase the size of the malware when decompressed.

In the course of our research into this malware, we identified it as a Trojan of the Asyncrat family. We also found the attacker’s command server, enabling him to dialogue with the implant. By following the certificate we discovered a number of servers administered by attackers with a configuration using an Asyncrat certificate.

IOCs concerning the malware described and another malware using a similar padding technique:

Zip Hash

IOCs concerning Asyncrat’s infrastructure: