For the first time in three years, Microsoft Office files are no longer the most common file type for malware distribution. This is according to the latest Threat Insights report from HP Wolf Security (opens in a new tab) for Q3 2022
By analyzing data from the “millions of endpoints” running its cybersecurity solution, HP concluded that archive files (for example, .ZIP and .RAR files) outperform Office files, becoming the most common means of distributing malware.
In fact, 44% of all malware shipped in Q3 2022 used this format, up 11% from Q2. On the other hand, Office files accounted for 32% of all malware distributions.
Bypassing security
HP also discovered that archive files were commonly associated with an HTML smuggling technique whereby cybercriminals embedded malicious archive files in HTML files to avoid detection by email security solutions.
“Archives are easy to encrypt, which helps cybercriminals hide malware and evade proxies, sandboxes or email scanners,” said Alex Holland, senior malware analyst with the HP Wolf Security research team.
“This makes attacks hard to detect, especially when combined with HTML smuggling techniques.”
Holland used the recent QakBot and IceID campaigns as examples. In these campaigns, HTML files were used to direct victims to fake online document viewers, encouraging victims to open the .ZIP file and unlock it with a password. This would infect their endpoints with malware.
“What was interesting about the QakBot and IceID campaigns was the effort they put into creating fake sites – these campaigns were more convincing than what we had seen before, making it difficult for people to figure out which files they could trust and which they couldn’t. Holland added.
HP also said cybercriminals have developed their tactics to develop “complex campaigns” with a modular infection chain.
This allows them to vary the type of malware delivered during the campaign, depending on the situation. Scammers can deliver spyware, ransomware or information stealing tools using the same infection tactics.
Researchers say the best way to protect against these attacks is to adopt a Zero Trust approach to security.
“By adhering to the Zero Trust principle of granular isolation, organizations can use micro-virtualization to ensure that potentially malicious tasks – such as clicking links or opening malicious attachments – are performed in a single-use virtual machine separate from the underlying systems,” explains Dr Ian Pratt, Global Head of Personal Systems Security at HP.
“This process is completely invisible to the user and captures the malware hidden in it, preventing attackers from accessing sensitive data and preventing them from gaining access and swiping sideways.”