Office files are no longer the most common file type for delivering malware, as archive file formats such as ZIP and RAR files are the file type of choice for threat actors to deliver malware, according to a new report from HP Wolf Security.
The findings come from a quarterly report from HP’s endpoint security division, which found that 44% of malware was delivered inside archive files, an 11% rise from the previous quarter. In comparison, 32% of malware was delivered through Microsoft Office files such as Word, Excel and PowerPoint.
HP Wolf Security’s report identifies several campaigns that were combining the use of archive files with new HTML smuggling techniques, which is when cybercriminals embed malicious archive files into HTML files to bypass email gateways.
For example, recent QakBot and IceID campaigns used HTML files to direct users to fake online document viewers masquerading as Adobe. Users were instructed to open a ZIP file and enter a password to unpack the files, which then deployed malware on their PCs, the company says.
The malware within the original HTML file is encoded and decrypted, making detection by email gateway and other email security tools challenging. The attacker relies on social engineering and creates a well-designed website to fool users into initiating the attack by opening the malicious ZIP file, according to HP Wolf Security.
Alex Holland, a senior malware analyst on HP Wolf Security’s threat research team, says archives are easy to encrypt and help conceal malware and avoid detection.
“This makes attacks difficult to detect, especially when combined with HTML smuggling techniques,” Holland says. “What was interesting with the QakBot and IceID campaigns was the effort put in to creating the fake pages – these campaigns were more convincing than what we’ve seen before, making it hard for people to know what files they can and can’t trust,”
The company also identified a complex campaign leveraging a modular infection chain that could enable attackers to change the payload mid campaign, potentially allowing them to change between spyware, ransomware or keyloggers midcampaign. This could also allow the introduction of new features, such as geo-fencing.
By not including malware directly in an email attachment, this could also help attackers evade detection by email security tools.
Dr. Ian Pratt, global head of security for personal systems at HP, says attackers are constantly changing their techniques and making it difficult for detection tools to spot.
“By following the Zero Trust principle of fine-grained isolation, organizations can use micro-virtualization to make sure potentially malicious tasks – like clicking on links or opening malicious attachments – are executed in a disposable virtual machine separated from the underlying systems,” Pratt says. “This process is completely invisible to the user, and traps any malware hidden within, making sure attackers have no access to sensitive data and preventing them from gaining access and moving laterally.”
Leave a Reply