Browser-Based File Archiving: A New Threat Vector

Chenny Ren
4 min readJun 23, 2023

Inspired by Mr. D0x’s method of phishing, outlined in the following article, this piece delves into the cybersecurity risks posed by Google’s latest .zip domain.

Security Research | mr.d0x

By emulating popular file archiver software (like WinRAR) in a browser and using a .zip domain, a believable illusion of legitimacy can be created, thus enhancing the effectiveness of phishing attacks.

To execute this attack, the phisher first creates a replica of file archiving software using HTML/CSS. Mr.D0x provides two examples of this on his GitHub repository.

Upon examining these samples, it’s found that one simulates the WinRAR file archiver, while the other simulates the Windows 11 File Explorer window. The latter was designed by @_ghast1y.

The WinRAR model includes several features, like the ‘Scan’ icon which produces a message stating files are safe, and the ‘Extract To’ button which can be used to download a file. These features enhance the authenticity of the phishing page.

Use Cases

Once the content is set up on your .zip domain, you have several possibilities to trick the user. Below mrd0x provides two sample use cases.

Credential Harvesting

The first use case is to harvest credentials by having a new web page open when a file is clicked.

File Extension Switcheroo

Another interesting use case is listing a non-executable file and when the user clicks to initiate a download, it downloads an executable file. Let’s say you have an “invoice.pdf” file. When a user clicks on this file, it will initiate the download of a .exe or any other file.

Delivery

Several people pointed out on Twitter that the Windows File Explorer search bar is a good delivery vector. If the user searches for mrd0x.zip and it doesn’t exist on the machine, it will automatically open it up in the browser. This is perfect for this scenario since the user would be expecting to see a ZIP file.

An example of a phishing email that could be sent to an unsuspecting target.

Once the user performs this, it will auto-launch the .zip domain which has the file archive template, appearing pretty legitimate.

Conclusion

The newly launched TLDs provide attackers with more opportunities for phishing. It’s highly recommended for organizations to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used.

Looking at this from my angle, this new kind of phishing attack is super sneaky. It uses things we know and trust — like how a file archive looks or a .zip file — and turns them against us. The bad guys are getting really clever, always finding new ways to trick us as technology keeps changing. This kind of attack shows that we all need to be on our toes. We need to block certain web addresses, like .zip and .mov, that these scammers like to use. And, it’s super important to keep learning about these tricks and how to stay safe online. The game of cybersecurity is like a race. We have to keep moving, stay aware, and always be ready to act.

--

--

Chenny Ren

OSCP | OSWP | OSEP | CRTP |CRTE | CRTO | Red Team Professional | SOC engineer