HP Wolf Warns of Surge in Malware Hidden in ZIP, RAR Files

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Archive files are now the most common file type used to deliver malware – eclipsing Microsoft Office files for the first time – according to HP Wolf Security’s Q3 2022 Quarterly Threat Insights Report.

Forty-four percent of malware was delivered via archive files in the third quarter of 2022, 11 percent more than the previous quarter and far more than the 32 percent delivered through Office files.

The change comes as Microsoft has begun disabling Office macros by default (see Hackers Find Alternatives to Microsoft Office Macros).

HTML Smuggling

The QakBot and IceID campaigns, the report notes, trick victims with malicious HTML files masquerading as PDF documents. When victims open the files, they’re redirected to fake online document viewers masquerading as Adobe or Google Drive web pages, which tell victims to open an encrypted ZIP file allegedly containing the document.

When the victim enters a password provided to them on the web page, the ZIP file then deploys malware on the victim’s PC.

“Archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners,” HP Wolf Security senior malware analyst Alex Holland said in a statement. “This makes attacks difficult to detect, especially when combined with HTML smuggling techniques.”

That’s even more of an issue when the social engineering is well thought out. “What was interesting with the QakBot and IceID campaigns was the effort put in to creating the fake pages – these campaigns were more convincing than what we’ve seen before, making it hard for people to know what files they can and can’t trust,” Holland said.

“We expect HTML smuggling design variations and brand abuse to accelerate as attackers experiment to find the most effective lures,” the report warns.

See the Top EDR Solutions

A Modular Infection Chain

A separate campaign observed in mid-September uses a modular infection chain that enables attackers to change malicious payloads and introduce new features.

The attack starts with an email containing a Microsoft Word attachment – but when the document is opened, it asks for permission to load an embedded Excel spreadsheet. If the victim gives permission, the spreadsheet then runs malicious files hosted on file sharing websites.

Because the malware isn’t included directly in the attachment sent to the victim, it’s also harder for security tools to detect.

“The attackers hosted different components of the malware campaign on remote web servers and used a variety of techniques to execute the payload malware,” the report states. “This modular approach benefits attackers because it enables payloads to be swapped out easily and for the execution flow to be modified mid-campaign.”

“As shown, attackers are constantly switching up techniques, making it very difficult for detection tools to spot,” Ian Pratt, global head of security for personal systems at HP, said in a statement.

See the Top Secure Email Gateway Solutions

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Jeff Goldman Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis