ZIP and RAR files are the most common for malware distribution, outperforming office files for the first time in three years. This is what emerges from the HP Wolf Security Threat Insights report, prepared by HP.
This document provides an analysis of real-world cyberattacks, helping organizations stay abreast of the latest techniques cybercriminals use to evade detection and compromise user security.
Based on data from millions of devices running HP Wolf Security, the investigation found that 44% of malware was distributed within compressed files – 11% more than in the previous quarter – compared to 32% that was distributed through Office files such as Microsoft Word, Excel and PowerPoint.
The report identified several campaigns that combined the use of compressed files with new techniques of html smuggling (HTML smuggling) – in which cybercriminals embed malicious compressed files in HTML files to bypass email security solutions and then launch the attack.
Direction of users to fake viewers
For example, recent QakBot and IceID campaigns used HTML files to direct users to fake online document viewers posing as Adobe. Users were then asked to open a ZIP file and enter a password to unzip the files, which then deployed the malware on their computers.
Since the malware inside the original HTML file is scrambled and encryptedthe detection by email-focused security solutions or other security tools It is very difficult. Instead, the attacker relies on social engineering, creating a convincing and well-designed web page to trick users into launching the attack by opening the malicious ZIP file.
In October, the same attackers were also found to be using fake Google Drive pages in an ongoing effort to trick users into opening malicious ZIP files.
“Files are easy to encrypt, which helps cybercriminals hide malware and evade proxy, sandbox, or detection-based email security solutions. This makes the attacks difficult to detect, especially when combined with HTML smuggling techniques. What was interesting about the QakBot and IceID campaigns was the effort put into creating the fake pages – these campaigns were more convincing than any we’ve seen before, making it harder for people to know which files to trust and which ones they can’t.”explains Alex Holland, Principal Malware Analyst for HP Wolf Security’s Threat Research team.
