44% Of Malware Delivered Inside Archive Files In Q3 – Report

Based on data from millions of endpoints running, a new report has found that 44 per cent of malware was delivered inside archive files, an 11 per cent rise on the previous quarter, compared to 32 per cent delivered through Office files such as Microsoft Word, Excel, and PowerPoint.

HP Inc. yesterday, issued its third quarter HP Wolf Security Threat Insights Report, finding that, archive file formats, such as, ZIP and RAR files, were the most common file type for delivering malware, surpassing Office files for the first time in three years.

The report provides an analysis of real-world cyberattacks, helping organisations to keep up with the latest techniques cybercriminals use to evade detection and breach users in the fast-changing cybercrime landscape.

The report identified several campaigns that were combining the use of archive files with new HTML smuggling techniques, where cybercriminals embed malicious archive files into HTML files to bypass email gateways, to then launch attacks.

Citing an example, the report revealed that, “recent QakBot and IceID campaigns used HTML files to direct users to fake online document viewers that were masquerading as Adobe. Users were then instructed to open a ZIP file and enter a password to unpack the files, which then deployed malware onto their PCs.

“As the malware within the original HTML file is encoded and encrypted, detection by email gateway or other security tools is very difficult. Instead, the attacker relies on social engineering, creating a convincing and well-designed web page to fool people into initiating the attack by opening the malicious ZIP file. In October, the same attackers were also found using fake Google Drive pages in an ongoing effort to trick users into opening malicious ZIP files.”

Senior Malware analyst, HP Wolf Security threat research team, HP Inc, Alex Holland, further explained that, archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners.

“This makes attacks difficult to detect, especially when combined with HTML smuggling techniques. What was interesting with the QakBot and IceID campaigns was the effort put in to creating the fake pages, these campaigns were more convincing than what we’ve seen before, making it hard for people to know what files they can and can’t trust,” Holland revealed.

HP also identified a complex campaign using a modular infection chain, which could potentially enable attackers to change the payload, such as spyware, ransomware, keylogger, mid-campaign, or to introduce new features, like geo-fencing.

This could enable an attacker to change tactics depending on the target they have breached. By not including malware directly in the attachment sent to the target, it is also harder for email gateways to detect this type of attack.