Hackers prefer archive files, not MS Office
Archive files like .zip and .rar formats are now popular ways of distributing malware infections. HP Wolf Security report findings conclude that MS office documents weren't the most popular file format used in malware attacks. The company's third-quarter report reveals that archive files showed a 42% attack share, whereas Office recorded a 40% share.
The report also noticed a sharp rise in popularity for archives, as the formats have seen their usage increase up to 22% since the first quarter of the year. As per the HP Wolf Security team, hackers prefer archive files because they are difficult to detect.
"Archives are attractive to threat actors because they are easily encrypted, making them difficult for web proxies, sandboxes, and email scanners to detect malware. Moreover, many organizations use encrypted archives for legitimate reasons, making it challenging to reject encrypted archive email attachments by policy," the report said.
Rise in HTML Smuggling Attacks
Besides the increase in archive files, HP Wolf Security logged a rise in "HTML smuggling" attacks, which, likewise, can escape security measures by using common file types.
In this case, the user is sent a malicious PDF file containing loads of HTML. When opened, the PDF redirects the user to a fake downloader page for a common reader like Adobe Acrobat. After this, the page attempts to offer an archive file containing the actual malware payload.
Threat actors prefer Qakbot malware strain
The researchers found that one group in particular, "Qakbot", favors the HTML smuggling technique to get its malware into the end user machines. The group, which went on a rampage during the summer, has restarted its activities.
Qakbot is a highly effective malware strain that has been used by hackers to steal data and deploy ransomware. Most of these rising campaigns depend on HTML, aiming to compromise systems, moving away from malicious Office documents as the standard delivery method for the malware strain.
At last, the team discovered that a traditional approach to ransomware is making a comeback. Magniber, aka "single client ransomware" operation, profits not by attacking big organizations and asking multi-million dollar ransoms but instead it seeks individual PCs, locking up the data and asking users for a $2,500 payout.
The method goes back to the early times of ransomware when individual systems were attacked en masse with hopes of achieving a greater number of successful infections and ransom payments.
Alex Holland, a senior malware analyst at HP said:
"Every threat actor has a different set of capabilities and resources that factor into what tactics, techniques, and procedures they use. Targeting individuals with single-client ransomware like Magniber requires less expertise, so this style of attack may appeal to threat actors with fewer resources and know-how who are willing to accept lower ransoms from victims"
