For the first time in three years, Microsoft Office files are no longer the most common file type for malware distribution. That’s according to HP Wolf Security’s latest Threat Insights Report (opens in new tab) for Q3 2022.
Analyzing data from “millions of endpoints” running its cybersecurity solution, HP concluded that archive files (.ZIP and .RAR files, for example) surpassed Office files to become the most common way to distribute malware.
In fact, 44% of all malware delivered in Q3 2022 used this format, up 11% on Q2. Office files, on the other hand, accounted for 32% of all malware distributions.
Bypassing protections
HP also found that Archive files would usually be combined with an HTML smuggling technique, in which cybercriminals would embed malicious archive files into HTML files to avoid being detected by email security solutions.
“Archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners,” said Alex Holland, Senior Malware Analyst for the HP Wolf Security threat research team.
“This makes attacks difficult to detect, especially when combined with HTML smuggling techniques.”
Holland used the recent QakBot and IceID campaigns as examples. In these campaigns, HTML files were used to direct victims to fake online document viewers, with victims being encouraged to open a .ZIP file and unlock it with a password. Doing so would infect their endpoints with malware.
“What was interesting with the QakBot and IceID campaigns was the effort put in to creating the fake pages – these campaigns were more convincing than what we’ve seen before, making it hard for people to know what files they can and can’t trust,” Holland added.
HP has also said that cybercriminals evolved their tactics to develop “complex campaigns” with a modular infection chain.
This allows them to switch up the type of malware delivered mid-campaign, depending on the situation. Crooks could deliver spyware, ransomware, or infostealers, all using the same infection tactics.
The best way to protect against these attacks, the researchers say, is to adopt a Zero Trust approach to security.
“By following the Zero Trust principle of fine-grained isolation, organizations can use micro-virtualization to make sure potentially malicious tasks – like clicking on links or opening malicious attachments – are executed in a disposable virtual machine separated from the underlying systems,” explains Dr Ian Pratt, Global Head of Security for Personal Systems at HP.
“This process is completely invisible to the user, and traps any malware hidden within, making sure attackers have no access to sensitive data and preventing them from gaining access and moving laterally.”