A report of HP Wolf Security revealed that compressed file formats, such as .ZIP and .RAR, were the most used to distribute malicious software between July and September of this 2022, surpassing those of Office, which for three years were the priority option of cybercriminals.
According to the results obtained through the devices that run this cybersecurity system, 44% of malicious software was delivered within compressed files, an increase of 11% compared to the previous quarter of the year.
While 32% were distributed through Office documents, such as Microsoft Word, Excel and PowerPoint.
It may interest you:
New ways of attack
The use of this type of compressed files was accompanied by a new form of HTML smuggling, in which cybercriminals embed malicious software in HTML formats to bypass the security of emails and platforms, and then carry out the attack.
One example is what happened with the recent QakBot and IceID campaigns that used these files to direct users to fake online document viewers, posing as Adobe.
They then asked people to open a compressed .ZIP file, enter a password, and unzip more documents that contained the malware and attack the computer.
These types of attacks are difficult for cybersecurity programs and emails to detect because the malware inside the original HTML file is scrambled and encrypted. So the cybercriminal just needs to make sure that the website is as close to the original as possible to fool people.
A practice that has been implemented in other applications such as Drive. In October, the attackers created a platform similar to this one to make users believe that it was Google’s official cloud service, but that it was intended to distribute the .ZIP compressed files with malware.
“These campaigns were more convincing than we’ve seen before, making it harder for people to tell which files they can trust and which they can’t,” said Alex Holland, a senior malware analyst with the company’s threat research team. Of the report.
It may interest you:
Another type of attack found was a modular infection chain that gave criminals the ability to change the payload, such as spyware, ransomware, or keylogger, mid-campaign, or introduce new features such as geofacing, which allows boundaries to be created. digital.
In other words, the cybercriminal started an attack, but if the need arose to change the type of way to do it, according to his objective, he could do it easily. This is because malware was not included directly in the attachment, which makes it very difficult for protection systems to detect movements.
“As shown, attackers are constantly switching techniques, making detection more difficult,” said Ian Pratt, the company’s global head of personal systems security.
According to company data, users of its devices have clicked on more than 18 billion email attachments, web pages and downloaded documents without any violation reports due to different tactics criminals use to circumvent systems. of security.