ZIP and RAR files have surpassed Office documents to become the most commonly used file by cybercriminals to spread malware, according to an analysis of real-world cyberattacks and data data collected from millions of PCs.
Research, based on HP Wolf Security customer datafound between July and September of this year, 42% of delivery attempts malware The attacks used archive file formats, including ZIP and RAR.
That means cyberattacks that try to exploit ZIP and RAR formats are more common than attacks that try to distribute malware using Microsoft Office documents like Microsoft Word and Microsoft Excel files. , has long been the preferred method to lure victims into downloading malware.
According to the researchers, this marks the first time in more than three years that archives have overtaken Microsoft Office files as the most popular means of spreading malware.
By encrypting malicious payloads and hiding them in archives, it provides attackers with a way to bypass multiple protections.
“The repositories are easy to encrypt, helping threat actors hide malware and evade web proxies, sandboxes or browsers,” said Alex Holland, senior malware analyst at HP. email scanning. This makes attacks difficult to detect, especially when combined with HTML smuggling techniques.” Wolf Security’s threat research team.
Also: Cybersecurity: Here are the new things to worry about in 2023
In many cases, attackers are creating phishing email look like they come from Famous brands and online service providersintended to trick users into opening and running malicious ZIP or RAR files.
This includes the use of malicious HTML files in emails masquerading as PDF documents – if run, this will show a fake online document viewer that decrypts the ZIP archive. If it is downloaded by users, it will infect them with malware.
According to analysis by HP Wolf Security, one of the most notorious malware campaigns currently relying on ZIP archives and malicious HTML files is Qakbot – a family of malware that is not only used to steal data, but is also used as a backdoor for deployment Ransomware.
Qakbot re-emerged in September, with malicious messages sent via email claiming to be related to online documents that needed to be opened. If the archive is run, it will use malicious commands to download and execute payloads in the form of dynamically-linked libraries, and then launch using legitimate – but often abused – tools in Windows. .
Soon after, cybercriminals distributed IcedID – a form of malware installed to activate, practice, human-run ransomware attacks – started using a pattern that closely resembled the one used by Qakbot to abuse archives to trick victims into downloading malware.
Both campaigns work to make sure fake emails and HTML pages look legitimate to fool as many victims as possible.
“What’s interesting with the QakBot and IcedID campaigns is the attempt to create fake pages – these campaigns are more convincing than we’ve seen before, making it hard for people to know what they can and can’t believe. into what files,” Holland said.
Also: Ransomware: Why it’s Still a Big Threat and Where the Gangs Go Next
A group of ransomware has also been found to abuse ZIP and RAR files in this way. According to HP Wolf Security, a campaign spread by the Magniber ransomware group targeting home userswith file encryption attacks and asking the victim for $2,500.
In this case, the infection begins with a download from a website controlled by the attacker. This site requires users to download a ZIP archive containing a JavaScript file that is purported to be an important Windows 10 or antivirus software update. If run and executed, it will download and install the ransomware.
Prior to this latest Magniber campaign, ransomware was spreading through MSI and EXE files – but like other cybercriminals, they have seen the success that can be achieved by distributing hidden payloads in archive files.
Cybercriminals are constantly changing their attacks, and phishing remains one of the main methods of spreading malware because it is often difficult to detect whether an email or file is legitimate – especially if it is not. has been hidden by hiding the malicious payload somewhere that anti-virus software may not be able to detect it.
Users are encouraged to be cautious of urgent requests to open links and download attachments, especially from unsolicited or unknown sources.
MORE ABOUT NETWORK SECURITY
