Clever Phishing Toolkit Emerges: Fake WinRAR and Windows File Explorer on ZIP Domains

by | May 29, 2023 | News

Premium Content

Patreon
Subscribe to Patreon to watch this episode.
Reading Time: 3 Minutes

In a concerning development, a newly discovered phishing kit dubbed ‘File Archivers in the Browser’ has surfaced, taking advantage of ZIP domains to perpetrate fraudulent activities. This insidious toolkit leverages the display of counterfeit WinRAR and Windows File Explorer windows within the browser interface, cleverly deceiving unsuspecting users into launching malicious files.

Earlier this month, Google introduced the option to register ZIP top-level domain (TLD) addresses, enabling users to host websites or create email addresses using ZIP extensions. However, since their release, a heated debate has ensued regarding the potential cybersecurity risks associated with these domains.

Twitter DM automatically turns setup.zip into a linkTwitter DM automatically turns setup.zip into a link – BleepingComputer

While some experts argue that concerns are exaggerated, the primary worry revolves around certain websites automatically converting strings ending with ‘.zip’ into clickable links. This functionality inadvertently opens the door to malware delivery and phishing attacks, as individuals may be deceived into clicking on seemingly harmless links.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

A file archiver in the browser

Addressing these apprehensions, esteemed security researcher mr.d0x has unveiled an ingenious phishing toolkit that capitalizes on ZIP domains. This toolkit simulates the presence of authentic file archiver software, such as WinRAR, within the browser interface, fostering an appearance of legitimacy.

During a demonstration shared with BleepingComputer, the toolkit showcased its ability to embed a counterfeit WinRAR window directly in the browser when a .zip domain is accessed. Users are presented with a seemingly legitimate ZIP archive, complete with the illusion of browsing its contents. Notably, the toolkit’s effectiveness is heightened when deployed as a popup window, allowing for the removal of the address bar and scrollbar, resulting in a more convincing WinRAR window illusion.

Fake in-browser WinRar screen pretending to open a ZIP archiveFake in-browser WinRar screen pretending to open a ZIP archive
Source: BleepingComputer

To further enhance its credibility, the researchers behind the toolkit implemented a deceptive security scan button. Upon clicking, users are greeted with a reassuring message indicating that the scanned files are free from threats—a tactic aimed at instilling a false sense of security.

Fake file scannerFake file scanner
Source: BleepingComputer

Despite retaining the browser’s address bar, this sophisticated toolkit has the potential to deceive unsuspecting victims into believing they are interacting with a genuine WinRAR archive. Moreover, the possibility of employing creative CSS and HTML techniques could refine the toolkit’s effectiveness even further.

Additionally, mr.d0x has developed another variant of the phishing toolkit, featuring a counterfeit in-browser Windows File Explorer interface that pretends to open ZIP files. While still a work-in-progress with some missing elements, this variant adds another layer to the phishing kit’s deceptive capabilities.

Fake Windows File Explorer shown in the browser
Source: BleepingComputer

Phishing Toolkit

This phishing toolkit, as explained by mr.d0x, poses a dual threat, enabling both credential theft and malware delivery. For instance, within the fake WinRAR window, if a user double-clicks on a PDF file, they may unknowingly be redirected to a fraudulent page that solicits their login credentials under the guise of accessing the file.

Furthermore, the toolkit can be employed to deliver malware by presenting a PDF file for download, which, when clicked, initiates the download of an identically named .exe file. Given that Windows does not display file extensions by default, users may perceive it as a harmless PDF file, subsequently falling victim to executing the concealed executable.

Of particular concern is how Windows searches for files and, when unable to locate them locally, resorts to opening the searched string within a browser. If the string corresponds to a valid domain, the associated website will be launched; otherwise, Bing search results will be displayed. This mechanism inadvertently opens the door for potential abuse, as cybercriminals registering ZIP domains mirroring common file names can trick the operating system into opening malicious websites masquerading as genuine ZIP archives displayed by WinRAR.

This elaborate technique serves as a stark reminder of the vulnerability introduced by ZIP domains, which can be exploited for the creation of sophisticated phishing attacks, malware delivery, and credential theft. As a renowned figure in the field, mr.d0x has previously showcased his prowess in devising clever phishing toolkits, including the utilization of VNC for bypassing multi-factor authentication (MFA) and the Browser-in-the-Browser technique, which threat actors leveraged to pilfer Steam credentials.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This