Cybercriminals are always looking for new avenues to distribute malware without being detected by antivirus scanners and secure email gateways. This is illustrated in a new phishing campaign that utilizes a specially crafted ZIP file that is designed to bypass secure email gateways to distribute the NanoCore RAT. All ZIP archives contain a special structure that contains the compressed data and information about the compressed files. The new spam campaign, discovered by researchers from Trustwave, pretends to be shipping information from an Export Operation Specialist of USCO Logistics. When examining the file, the Trustwave researchers discovered that the ZIP archive contained two distinct archive structures, each marked by their own End of Central Directory (EOCD) record. A ZIP archive should have only one EOCD record, so this indicated that the ZIP file was specially crafted to contain two archive structures. In a statement from Trustwave, “This sample challenges gateways scanners. Depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the malicious content unnoticed – just like how some of the most popular archiving tools failed to notice the second ZIP structure.”