“.Zip” domains’ phishing attacks

Attack technique

Technique name: “.ZIP” domains abuse

MITRE ATT&CK
• Tactic: Initial Access, Defense Evasion
• Technique: Phishing, Masquerading

Technique description
On May 2023, Google decided on the registration of eight new top-level domains, including the .ZIP top-level domain. The .ZIP domain (URL) according to Google should let the audience know that the service provided under this domain is fast and efficient.

Even though the original intention was clear, the choice of using “.ZIP” as a top-level domain led to an unwanted problem due to its similarity to the known .zip file extension.

Threat actors started to use those domains for malicious purposes such as phishing, using malicious “ZIP” domains that mimic file names, etc.
There are different methods which have been already posted online, that can be used by attackers to conduct attacks using “.ZIP” Domains, including:

• Using malicious websites that mimic known login pages (such as Microsoft online login page), using the .zip extension.
• Taking advantage of “UserInfo” as part of a URL, to inject a malicious domain right after a benign domain.
• Taking advantage of previous Forums/Social Media posts/Emails that included filenames ending the .zip extension, hosting malicious files on domains named after those files.
• Phishing includes internal network paths which include what looks like a “.zip” file at the end of the path, while it actually redirects to a .zip domain. An example for such abuse can be in the form of the following link, which can be included in a malicious email: \Fileserver01\Finance\Reports\March Finance-Report.zip
• Making it look like a click on this link will redirect to a local network share which includes a file named “March Finance-Report.zip”, while clicking on the right part of this Link will lead to access to a malicious website using the “Finance-Report.zip” domain.

References
Here are multiple data sources related to the abuse of .zip domains in the wild, so as potential abuse techniques we might see in the future:

• Google's new zip domain could be used for phishing and malware attacks
• ZIP domains
• Zip TLD information leak
• New zip domains spark debate among cybersecurity experts
• The dangers of Google's zip TLD

Threat hunting theses breakdown

DNS requests towards suspicious .Zip domains

Relevant data sources: EDR Logs
Complementary data sources: Proxy Logs, DNS Logs, Azure Sign-in Logs, etc.

Thesis explanation
In this hunting thesis we looked for DNS requests toward highly suspicious/malicious .Zip domains based on DNS requests found in the orgnizational EDR Logs.

Blind spots
Cases in which a DNS request towards malicious .Zip domain had originated from a host without an EDR agent installed.

Recommended investigation flow

• Identify outgoing DNS requests related to malicious .ZIP Domains
  • Validate if the DNS request had been resolved to an IP address or there was no DNS resolution (if data is available in EDR Logs).
• Look for additional context related to this traffic using other log sources such as Proxy Logs, and DNS Logs:
  • Check if the traffic has been blocked on the DNS level (DNS Logs).
  • Check if the traffic has been blocked on the Proxy level (Proxy logs).
  • Get an indication about the site from which the user gained access to the malicious .zip domain URL (using the Referrer field in Proxy logs).
  • Get an indication about URLs the user visited after the access to the malicious .zip domain URL.
• In case of malicious sites that include a Microsoft-like authentication page → look for suspicious Azure Sign-in logs that occurred after the suspicious DNS request.
• In the case of a domain which potentially been used to masquerade/mimic a file name, such as “update[.]zip”, or “photos[.]zip“ → look for suspicious file creations after the DNS request.