According to cyber security professionals, ZIP and RAR files have overtaken Office documents as the file most used by cyber criminals to deliver malware, according to an analysis of real-world cyberattacks and data collected from millions of PCs. The research, based on customer data found in the period between July and September 2022, 42% of attempts at delivering malware attacks used archive file formats, including ZIP and RAR.
That means cyberattacks attempting to exploit ZIP and RAR formats are more common than those which attempt to deliver malware using Microsoft Office documents like Microsoft Word and Microsoft Excel files, which have long been the preferred method of luring victims into downloading malware. According to researchers, this marks the first time in over three years that archive files have surpassed Microsoft Office files as the most common means of delivering malware.
Encrypting malicious payloads and hiding them within archive files, it provides attackers with a way of bypassing many security protections. "Archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners. This makes attacks difficult to detect, especially when combined with HTML smuggling techniques," said a senior malware analyst on the HP Wolf Security threat research team.
In many cases, the attackers are crafting phishing emails that look like they come from known brands and online service providers, which attempt to trick the user into the opening and running the malicious ZIP or RAR file. This includes using malicious HTML files in emails that masquerade as PDF documents which if run, show a fake online document viewer which decodes the ZIP archive. If the user downloads it, it will infect them with malware.
According to analysts, one of the most notorious malware campaigns, which is now relying on ZIP archives and malicious HTML files, is Qakbot, a malware family which is not only used to steal data but also used as a backdoor for deploying ransomware. Qakbot re-emerged in September 2022, with malicious messages sent out by email, claiming to be related to online documents which needed to be opened. If the archive was run, it used malicious commands to download and execute the payload in the form of a dynamic link library, then launched using legitimate but commonly abused tools in Windows.
See: https://redskyalliance.org/xindustry/emotet-attacks-increase-as-the-botnet-spreads-its-joy-globally
Soon cybercriminals distributing IcedID, a form of malware installed to enable hands-on, human-operated ransomware attacks, started using a template almost identical to that used by Qakbot to abuse archive files to trick victims into downloading malware.
See: https://redskyalliance.org/xindustry/icedid-is-not-a-cold-drink
Both campaigns put effort into ensuring the emails and the phony HTML pages looked legitimate to fool as many victims as possible. "What was interesting with the QakBot and IcedID campaigns was the effort to create the fake pages. These campaigns were more convincing than we've seen before, making it hard for people to know what files they can and can't trust," said Wolf Security.
A ransomware group has been abusing ZIP and RAR files in this manner with attacks that encrypt files and demand $2,500 from victims. In this case, the infection begins with a download from an attacker-controlled website that asks users to download a ZIP archive containing a JavaScript file purporting to be an important anti-virus or Windows 10 software update. I ran and executed it, it downloaded and installs the ransomware.
Before this latest Magniber campaign, the ransomware was spread through MSI and EXE files. Still, like other cybercriminal groups, they've noticed the success which can be achieved by delivering payloads hidden in archive files. Cybercriminals are continuously changing their attacks. Phishing remains one of the key methods of delivering malware because it's often difficult to detect if an email or files are legitimate, particularly if it has already slipped by hiding the malicious payload somewhere anti-virus software cannot detect it.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments