ZIP, RAR Have Surpassed Office Files as Most-Used Malware Containers

ZIP, RAR Have Surpassed Office Files as Most-Used Malware Containers

We all, hopefully, learned long ago not to open suspicious Microsoft Office files, which have long been one of the most common vectors for malware infection. According to a new report, there’s a new public enemy number one when it comes to cybersecurity: ZIP and RAR archives. Data from HP Wolf Security shows that encrypted file archives have become the most common way of distributing malware, and your antivirus scanner may be of little help.

According to HP’s threat analysis group, ZIP and RAR archives accounted for 42 percent of malware attacks between July and September this year. This method jumped 11 percent over the course of 2022, spurred on by more advanced methods of social engineering (phishing) and HTML fakery. That makes malicious archives more common than viruses distributed via Microsoft Word and Excel files, which have been the most popular method for three years running.

Sending out malware as archives can make it harder for even savvy internet users to stay safe. HP Wolf Security, explains that these archives can obscure the dangerous payload from scanners because they cannot see inside the encrypted containers. These ZIP and RAR files are often paired with a phony HTML file that masquerades as a PDF. When run, they produce a fake web document viewer which has the user input a password. However, that password actually decrypts the archive file, exposing the system to malware. HP’s threat group says the malware authors spent a great deal of effort making the fake HTML pages look as legitimate as possible.

ZIP, RAR Have Surpassed Office Files as Most-Used Malware Containers

The well-known Qakbot malware has adopted this method, which could have something to do with the uptick in usage. It usually shows up in emails that pretend to be from large brands and online service providers. If the user mistakenly decrypts the archive, it downloads malware in the form of a dynamic link library that can be launched with native Windows features. Qakbot can steal data or pave the way for ransomware. A similar package known as IcedID adopted an almost identical distribution mechanism in late 2022, but this one loads human-operated ransomware that helps cyber criminals target the most important files and systems on a network. The team also spotted the Magniber ransomware using this method, having apparently abandoned its reliance on easy-to-spot MSI and EXE files.

Because malware scanners can’t detect the dangerous contents of these archives before they are loaded, users are warned to remain vigilant. If you get an attachment from an unexpected source, it’s probably best not to open it.

Continue reading

Chromebooks Gain Market Share as Education Goes Online
Chromebooks Gain Market Share as Education Goes Online

Chromebook sales have exploded in the pandemic, with sales up 90 percent and future growth expected. This poses some challenges to companies like Microsoft.

SpaceX Launches ‘Better Than Nothing’ Starlink Beta
SpaceX Launches ‘Better Than Nothing’ Starlink Beta

Those lucky few who have gotten invitations to try the service will have to pay a hefty up-front cost, and the speeds aren't amazing. Still, it's a new generation of satellite internet.

Samsung, Stanford Built a 10,000 PPI Display That Could Revolutionize VR, AR
Samsung, Stanford Built a 10,000 PPI Display That Could Revolutionize VR, AR

Ask anyone who has spent more than a few minutes inside a VR headset, and they'll mention the screen door effect. This could eliminate it for good.

NASA Created a Collection of Spooky Space Sounds for Halloween
NASA Created a Collection of Spooky Space Sounds for Halloween

NASA's latest data release turns signals from beyond Earth into spooky sounds that are sure to send a chill up your spine.