ZIP and RAR files have overtaken Office documents as the most common files used by cybercriminals to distribute malware, according to an analysis of actual cyberattacks and data collected from millions of PCs.
The study, based on HP Wolf Security customer data, found that between July and September this year, 42% of attempted malware attacks used archive file formats, including ZIP and RAR.
This means that cyberattacks attempting to exploit ZIP and RAR formats are more common than those attempting to spread malware using Microsoft Office documents such as Microsoft Word and Microsoft Excel files, which have long been the method preferred to trick victims into downloading malware.
According to the researchers, this is the first time in more than three years that archive files have overtaken Microsoft Office files as the most common way to distribute malware.
By encrypting malicious payloads and hiding them in archive files, it offers attackers a way to bypass many security protections.
“Archives are easy to encrypt, which helps hackers hide malware and evade web proxies, sandboxes or email scanners. This makes attacks difficult to detect, especially when combined with HTML smuggling techniques,” said Alex Holland, senior malware analyst at HP. Wolf Security Threat Research Team.
Also: Cybersecurity: these are the novelties to worry about in 2023
In many cases, attackers craft phishing emails that appear to come from well-known brands and online service providers, which attempt to trick the user into opening and running the malicious ZIP or RAR file.
This includes using malicious HTML files in emails that pose as PDF documents – which, if executed, display a fake online document viewer that decodes the ZIP archive. If downloaded by the user, it will infect them with malware.
According to analysis by HP Wolf Security, one of the most notorious malware campaigns that now relies on malicious ZIP archives and HTML files is Qakbot – a malware family that is not only used to steal data, but also used as a back door to deploy ransomware.
Qakbot reappeared in September, with malicious email messages claiming to be linked to online documents that needed to be opened. If the archive was executed, it used malicious commands to download and execute the payload as a dynamic link library, then launched using legitimate – but commonly abused – tools in Windows.
Shortly after, cybercriminals distributing IcedID – a form of malware that is installed in order to enable convenient, human-operated ransomware attacks – began using a pattern nearly identical to that used by Qakbot to abuse files. archives in order to trick victims into downloading them. malware.
Both campaigns worked to ensure that the emails and fake HTML pages appeared legitimate to fool as many victims as possible.
“What was interesting with the QakBot and IcedID campaigns was the effort put into creating the fake pages – these campaigns were more convincing than what we’ve seen before, making it difficult for people to know what files they can and cannot not trust,” Hollande said.
Also: Ransomware: Why it’s still a big threat and where the gangs are going next
A ransomware group has also been seen abusing ZIP and RAR files in this way. According to HP Wolf Security, a campaign released by ransomware group Magniber targeted home users, with attacks that encrypted files and demanded $2,500 from victims.
In this case, the infection begins with a download from an attacker-controlled website that asks users to download a ZIP archive containing a JavaScript file pretending to be an important antivirus or Windows 10 software update. it is executed and executed, it downloads and installs the ransomware.
Prior to this latest Magniber campaign, ransomware was spread through MSI and EXE files – but like other cybercriminal groups, they have noticed the success that can be achieved by delivering payloads hidden in archive files.
Cybercriminals continually modify their attacks and phishing remains one of the main methods of spreading malware because it is often difficult to detect if an email or files are legitimate, especially if they have already slipped hiding the malicious payload somewhere where anti-virus software may not detect it.
Users are advised to be cautious of urgent requests to open links and download attachments, especially from unexpected or unknown sources.
LEARN MORE ABOUT CYBERSECURITY
#types #files #commonly #hackers #hide #malware