ZIP, RAR Have Surpassed Office Files as Most-Used Malware Containers

ZIP, RAR Have Surpassed Office Files as Most-Used Malware Containers

We all, hopefully, learned long ago not to open suspicious Microsoft Office files, which have long been one of the most common vectors for malware infection. According to a new report, there’s a new public enemy number one when it comes to cybersecurity: ZIP and RAR archives. Data from HP Wolf Security shows that encrypted file archives have become the most common way of distributing malware, and your antivirus scanner may be of little help.

According to HP’s threat analysis group, ZIP and RAR archives accounted for 42 percent of malware attacks between July and September this year. This method jumped 11 percent over the course of 2022, spurred on by more advanced methods of social engineering (phishing) and HTML fakery. That makes malicious archives more common than viruses distributed via Microsoft Word and Excel files, which have been the most popular method for three years running.

Sending out malware as archives can make it harder for even savvy internet users to stay safe. HP Wolf Security, explains that these archives can obscure the dangerous payload from scanners because they cannot see inside the encrypted containers. These ZIP and RAR files are often paired with a phony HTML file that masquerades as a PDF. When run, they produce a fake web document viewer which has the user input a password. However, that password actually decrypts the archive file, exposing the system to malware. HP’s threat group says the malware authors spent a great deal of effort making the fake HTML pages look as legitimate as possible.

ZIP, RAR Have Surpassed Office Files as Most-Used Malware Containers

The well-known Qakbot malware has adopted this method, which could have something to do with the uptick in usage. It usually shows up in emails that pretend to be from large brands and online service providers. If the user mistakenly decrypts the archive, it downloads malware in the form of a dynamic link library that can be launched with native Windows features. Qakbot can steal data or pave the way for ransomware. A similar package known as IcedID adopted an almost identical distribution mechanism in late 2022, but this one loads human-operated ransomware that helps cyber criminals target the most important files and systems on a network. The team also spotted the Magniber ransomware using this method, having apparently abandoned its reliance on easy-to-spot MSI and EXE files.

Because malware scanners can’t detect the dangerous contents of these archives before they are loaded, users are warned to remain vigilant. If you get an attachment from an unexpected source, it’s probably best not to open it.