More Hackers Using Archives to Deliver Malware
Archives are now the most popular file type for delivering malware, according to HP Wolf Security’s Q3 threat insights report.
Attackers are encrypting archives then releasing malware. Some 44% of malware was delivered via archive files in the third quarter. That’s 11% more than the previous quarter and far more than the 32% delivered through Office files.
The report identified several campaigns that were combining the use of archive files with new HTML smuggling techniques. Cybercriminals embed malicious archive files into HTML files to bypass email gateways, and then launch attacks.
For example, recent QakBot and IceID campaigns used HTML files to direct users to fake online document viewers that were masquerading as Adobe. Users were then instructed to open a zip file and enter a password to unpack the files, which then deployed malware onto their PCs.
“As the malware within the original HTML file is encoded and encrypted, detection by email gateway or other security tools is very difficult,” HP Wolf Security said. “Instead, the attacker relies on social engineering, creating a convincing and well-designed web page to fool people into initiating the attack by opening the malicious zip file. In October, the same attackers were also found using fake Google Drive pages in an ongoing effort to trick users into opening malicious zip files.”
James Quinn is a malware analyst at Intel 471.
“We believe the HTML files described by HP are generated using a toolkit,” they said. “Some campaigns we have observed use several randomly generated passwords (protecting the zip archives). The use of several different passwords in a single campaign suggests that the build process for these payloads is automated, i.e. a builder tool or script creates the final HTML and potentially also intermediary payloads. Another clue is that we observe several disparate threat actors using the same technique. This suggests that a single threat actor is offering a service or tool to other threat actors that use this tool in their spreading campaigns. Besides the Qbot and IcedID (aka Bokbot) campaigns, we have also seen the same HTML smuggling technique used to spread Bumblebee.”
Despite the apparent success in bypassing security controls, this technique has drawbacks as well, Quinn said.
“The end user has to jump through several hoops to make this attack work,” they said. “They must unzip the payload using the provided password, find the malicious ISO file that is extracted, mount the ISO image and finally browse to the script/document to open it. The threat actors behind this new tool continue to refine the technique and add new features. The latest iteration uses Javascript in the HTML payload to only move to the next stage when mouse-movement is detected.”
