Archive files overtake Office docs as a malware delivery method
Archive file formats -- like ZIP and RAR files -- are the most common file type for delivering malware, overtaking Office files for the first time in three years.
A new report from HP Wolf Security, based on on data from millions of endpoints, finds that between July and September this year 44 percent of malware was delivered inside archive files -- an 11 percent rise over the previous quarter -- compared to 32 percent delivered through Office files such as Microsoft Word, Excel, and PowerPoint.
Microsoft's decision to automatically disable VBA macros is likely to be playing a role here as attackers look for other ways to transmit their payloads. The recent QakBot and IceID campaigns, for example, used HTML files to direct users to fake online document viewers that were masquerading as Adobe. Users were then instructed to open a ZIP file and enter a password to unpack the files, which then deployed malware onto their PCs.
Because the malware within the original HTML file is encoded and encrypted, detection by email gateway or other security tools is very difficult. The attacker relies on social engineering to create a convincing and well-designed web page to fool people into initiating the attack by opening the malicious ZIP file.
"Archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners. This makes attacks difficult to detect, especially when combined with HTML smuggling techniques. What was interesting with the QakBot and IceID campaigns was the effort put in to creating the fake pages -- these campaigns were more convincing than what we've seen before, making it hard for people to know what files they can and can't trust," says Alex Holland, senior malware analyst at the HP Wolf Security threat research team.
HP has also identified a complex campaign using a modular infection chain, which could potentially enable attackers to change the payload -- such as spyware, ransomware or keyloggers -- mid-campaign, or to introduce new features, like geo-fencing. This could enable an attacker to change tactics depending on the target they have breached. Not including malware directly in the attachment sent to the target makes detection much more difficult.
"As shown, attackers are constantly switching up techniques, making it very difficult for detection tools to spot," says Dr Ian Pratt, global head of security for personal systems at HP. "By following the Zero Trust principle of fine-grained isolation, organizations can use micro-virtualization to make sure potentially malicious tasks -- like clicking on links or opening malicious attachments -- are executed in a disposable virtual machine separated from the underlying systems. This process is completely invisible to the user, and traps any malware hidden within, making sure attackers have no access to sensitive data and preventing them from gaining access and moving laterally."
The full report is available on the HP site.