ZIP and RAR files have overtaken Office documents as the file most commonly used by cyber criminals to deliver malware, according to an analysis of real-world cyber attacks and data collected from millions of PCs.
The research, based on customer data by HP Wolf Security, found in the period between July and September this year, 42% of attempts at delivering malware attacks used archive file formats, including ZIP and RAR.
That means cyber attacks attempting to exploit ZIP and RAR formats are more common than those which attempt to deliver malware using Microsoft Office documents like Microsoft Word and Microsoft Excel files, which have long been the preferred method of luring victims into downloading malware.
According to researchers, this marks the first time in over three years that archive files have surpassed Microsoft Office files as the most common means of delivering malware.
By encrypting malicious payloads and hiding them within archive files, it provides attackers with a way of bypassing many security protections.
“Archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners. This makes attacks difficult to detect, especially when combined with HTML smuggling techniques,” said Alex Holland, senior malware analyst on the HP Wolf Security threat research team.
In many cases, the attackers are crafting phishing emails which look like they come from known brands and online service providers, which attempt to trick the user into opening and running the malicious ZIP or RAR file.
This includes using malicious HTML files in emails which masquerade as PDF documents – which if run, show a fake online document viewer which decodes the ZIP archive. If it’s downloaded by the user, it will infect them with malware.
According to analysis by HP Wolf Security, one of the most notorious malware campaigns which is now relying ZIP archives and malicious HTML files is Qakbot – a malware family which is not only used to steal data, but also used as a backdoor for deploying ransomware.
Qakbot reemerged in September, with malicious messages sent out by email, claiming to be related to online documents which needed to be opened. If the archive was run, it used malicious commands to download and execute the payload in the form of a dynamic link library, then launched using legitimate – but commonly abused – tools in Windows.
Shortly afterwards, cyber criminals distributing IcedID – a form of malware which is installed in order to enable, hands-on, human-operated ransomware attacks – started using a template almost identical to that used by Qakbot to abuse archive files to trick victims into downloading malware.
Both campaigns put effort into ensuring the emails and the phony HTML pages looked legitimate to fool as many victims as possible.
“What was interesting with the QakBot and IcedID campaigns was the effort put in to creating the fake pages – these campaigns were more convincing than what we’ve seen before, making it hard for people to know what files they can and can’t trust,” said Holland.
A ransomware group has also been seen abusing ZIP and RAR files in this way. According to HP Wolf Security, a campaign spread by Magniber ransomware group targeted home users, with attacks which encrypt files and demand $2,500 from victims.
Prior to this latest Magniber campaign, the ransomware was spread by through MSI and EXE files – but like other cyber criminal groups, they’ve noticed the success which can be achieved with delivering payloads hidden in archive files.
Cyber criminals are continuously changing their attacks and phishing remains one of the key methods of delivering malware because it’s often difficult to detect if an email or files are legitimate – particularly if it has already slipped by hiding the malicious payload somewhere where anti-virus software can’t detect it.
Users are urged to be cautious about urgent requests to open links and download attachments, especially from unexpected or unknown sources.