ZIP and RAR files have overtaken Office documents as the file most commonly used by cyber criminals to deliver malware, according to an analysis of real-world cyber attacks and data collected from millions of PCs.
According to researchers, this marks the first time in over three years that archive files have surpassed Microsoft Office files as the most common means of delivering malware.
By encrypting malicious payloads and hiding them within archive files, it provides attackers with a way of bypassing many security protections.
"Archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners. This makes attacks difficult to detect, especially when combined with HTML smuggling techniques," said Alex Holland, senior malware analyst on the HP Wolf Security threat research team.
This includes using malicious HTML files in emails which masquerade as PDF documents – which if run, show a fake online document viewer which decodes the ZIP archive. If it's downloaded by the user, it will infect them with malware.
According to analysis by HP Wolf Security, one of the most notorious malware campaigns which is now relying ZIP archives and malicious HTML files is Qakbot – a malware family which is not only used to steal data, but also used as a backdoor for deploying ransomware.
Qakbot reemerged in September, with malicious messages sent out by email, claiming to be related to online documents which needed to be opened. If the archive was run, it used malicious commands to download and execute the payload in the form of a dynamic link library, then launched using legitimate – but commonly abused – tools in Windows.
Shortly afterwards, cyber criminals distributing IcedID - a form of malware which is installed in order to enable, hands-on, human-operated ransomware attacks – started using a template almost identical to that used by Qakbot to abuse archive files to trick victims into downloading malware.
Both campaigns put effort into ensuring the emails and the phony HTML pages looked legitimate to fool as many victims as possible.
"What was interesting with the QakBot and IcedID campaigns was the effort put in to creating the fake pages – these campaigns were more convincing than what we've seen before, making it hard for people to know what files they can and can't trust," said Holland.
Prior to this latest Magniber campaign, the ransomware was spread by through MSI and EXE files – but like other cyber criminal groups, they've noticed the success which can be achieved with delivering payloads hidden in archive files.
Cyber criminals are continuously changing their attacks and phishing remains one of the key methods of delivering malware because it's often difficult to detect if an email or files are legitimate – particularly if it has already slipped by hiding the malicious payload somewhere where anti-virus software can't detect it.
Users are urged to be cautious about urgent requests to open links and download attachments, especially from unexpected or unknown sources.