ZIP and RAR Have Surpassed Office Files as Most-Used Malware Containers

ZIP and RAR Have Surpassed Office Files as Most-Used Malware Containers

We should have all learned a long time ago not to open suspicious Microsoft Office files, as they have long been one of the most common vectors for malware infection. A recent study suggests that ZIP and RAR archives are now the cybersecurity world’s worst adversary. According to data from HP Wolf Security, encrypted file archives are now the most popular method of spreading malware, making your antivirus scanner less effective.

Between July and September of this year, malware attacks using ZIP and RAR archives accounted for 42% of all malware attacks, according to HP’s threat analysis team. Through 2022, this technique increased by 11%, propelled by more sophisticated phishing and HTML forgery techniques. That makes dangerous archives more prevalent than infections spread using Microsoft Word and Excel files, the most typical technique for the past three years.

Even experienced internet users may find it more difficult to stay safe when virus is sent as archives. According to HP Wolf Security, because scanners cannot see within the encrypted containers, these archives potentially hide the harmful payload from them. These ZIP and RAR packages are frequently distributed with a fake HTML file that looks like a PDF. When activated, they create a bogus web document viewer that requests the user’s password. That password, however, really unlocks the zip file, making the system vulnerable to viruses. The virus writers put a lot of effort into making the bogus HTML sites appear as authentic as possible, according to HP’s threat group.

A fake web viewer that instructs victims to input a password to decrypt the malware-infested archive. Credit: HP Wolf Security

This technique has been used by the well-known Qakbot virus, which may account for the rise in usage. Typically, it appears in emails purporting to be from well-known companies and online service providers. The malware is downloaded in the guise of a dynamic link library that can be launched using standard Windows features if the user unintentionally decrypts the package. Data can be stolen or ransomware can be spread thanks to Qakbot. Late in 2022, a similar package by the name of IcedID adopted a nearly identical distribution strategy, but this one loads human-operated ransomware that aids online criminals in targeting the most crucial networked files and systems.Using this technique, the team also discovered the Magniber ransomware, which had reportedly stopped using easily identifiable MSI and EXE files.

Users are advised to exercise caution because malware scanners are unable to identify the potentially harmful contents of these archives before they are loaded. It’s probably advisable not to open any attachments you receive from unknown sources.

Share this post

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *