Skip to content

ZIP and RAR compressed files are the most used by cybercriminals to deliver malware

44 percent of malware distributed during the third quarter of this year has been found inside ZIP and RAR archives, making them the most common archives for malware distribution and outpacing the spread of archived malware office for the first time in three years, according to a report from HP Wolf Security.

The study, carried out by the US technology company HP, has been based on data collected from devices running HP Wolf Security. As a result, attack campaigns have been identified that combine the use of compressed files with new HTML smuggling techniques.

SIGHT: ChatGPT, the AI ​​that lets you talk to it, could be used by cybercriminals to steal data

In these attacks, the modus operandi of cybercriminals is to embed malicious compressed files in HTML files, thus circumventing email security solutions, as HP has reported in a statement.

Thus, attacks through compressed files are consolidated as the most common malware distribution (44 percent), increasing by 11 percent the previous quarter. Based on this, it exceeds the distribution through Office files such as Microsoft Word, Excel and Power Point (32 percent).

SIGHT: WhatsApp: how do I know if another person has logged in with my account on another device?

Until now, Office files were the most dangerous in this regard, but for the first time in three years, more malware distributions have been identified via ZIP and RAR files.

An example of such campaigns are those of QakBot and IceID, which used HTML files to direct users to fake online document viewers posing as Adobe. After that, users were asked to open the ZIP file and to enter a password in order to unzip the files. Once unzipped, the malware was deployed on their computers.

SIGHT: Careful! This Android app is capable of creating fake accounts with your name

This system manages to evade email-focused security solutions, such as proxy or sandbox, and other security tools, because the malware inside the original HTML file is scrambled and encrypted, making it very difficult to detect.

Furthermore, the attacker uses social engineering to trick the user by creating a convincing and well-designed web page. This study also found that cybercriminals used fake Google Drive pages to gain trust.

SIGHT: It happened with Facebook, WhatsApp and Twitter: why do the technological giants suffer leaks of personal data?

In this regard, the main malware analyst of the HP Wolf Security threat research team, Alex Holland, has insisted that what was interesting about the QakBot and IceID campaigns was the effort made to create the fake pages. “These campaigns were more convincing than any we’ve seen before, making it harder for people to know which files to trust and which ones they can’t.“, has said.

On the other hand, HP also identified an attack campaign that works by using a modular infection chain. These types of attacks are complex in nature, as they allow attackers to change the attack method depending on the target that has been compromised or to introduce new features while it is running.

SIGHT: This is how the mafias that steal Netflix, HBO Max or Disney + accounts act

That is, cybercriminals could attack with spyware to share user information with an external entity or switch to ransomware and hijack user data, depending on the target they have breached. In addition, they can introduce new features such as geo-fencing, whose technology uses the location provided by GPS and the use of data from a mobile device.

Likewise, by not inserting the malware directly into the attached file sent to the target, it is more difficult to detect this type of attack.

SIGHT: Gmail will now allow companies to test its encryption: even Google will not be able to read the emails

As a solution to these attacks, HP’s Global Head of Security for Personal Systems, Ian Pratt, proposes the use of Zero Trust application isolation technology used by HP Wolf Security.

This technology runs risky tasks, such as opening email attachments, downloading files, and clicking links, on isolated micro-virtual machines (micro-VMs). In this way, it protects users by capturing detailed traces of attack attempts.

SIGHT: IBM: “It is very common to work with two or more cyber incidents at the same time. We process 150 billion security events a day”

Following the Zero Trust principle of precision isolation, organizations can use microvirtualization to ensure that potentially malicious tasks, such as clicking links or opening malicious attachments, run in a disposable virtual machine separate from the underlying systems. This process is completely invisible to the user, and traps any malware hidden within, ensuring attackers have no access to sensitive data and preventing them from accessing and moving laterally.”, explained Ian Pratt.

With this technology, HP isolates threats on computers that have eluded detection tools. Therefore, HP Wolf Security has a specific view of the latest techniques used by cybercriminals. This data indicates that, to date, HP customers have clicked on more than 18 billion email attachments, web pages, and downloaded files without any violations being reported.

Source: Elcomercio

Share this article:
globalhappenings news.jpg
most popular