Archive files such as the .zip and .rar formats are now the most popular method for spreading malware infections.
The findings from a report by HP Wolf Security mark the first time on the vendor's records that Microsoft Office documents were not the most popular file format for use in malware attacks. The company's third-quarter report shows that archive files logged a 42% attack share, while Office was barely behind, at 40%.
The Q3 2022 Quarterly Threat Insights Report also found a significant surge in popularity for archives, as the formats have seen their use grow some 22% since the first quarter of the year. According to the HP Wolf Security team, the primary appeal of archive files to threat actors is that they are harder to detect.
"Archives are attractive to threat actors because they are easily encrypted, making them difficult for web proxies, sandboxes and email scanners to detect malware," the report explained. "Moreover, many organizations use encrypted archives for legitimate reasons, making it challenging to reject encrypted archive email attachments by policy."
Alex Holland, a senior malware analyst at HP, told TechTarget Editorial that the move away from Office files is likely to continue, with Microsoft doing its part to lock down the format.
"The trend away from Office files has been underway since February this year, when Microsoft tightened the default macro policy in Office, making it tougher for attackers execute malware from documents," Holland explained via email.
"Since then, we have seen more threat actors -- such as those distributing QakBot and IcedID -- shift to alternative delivery formats, like Windows shortcuts (LNK), ISOs, HTML files and encrypted archives."
In addition to the rise of archive files, HP Wolf Security logged an increase in what it calls "HTML smuggling" attacks, which, similarly, can side-step security rules by using common file types.
In this scenario, the user is presented with what appears to be a PDF file but is in fact loaded with HTML. Opening the PDF then causes the user to be redirected to a fake downloader page for a common reader such as Adobe Acrobat. The page then tries to offer an archive file that contains the actual malware payload.
The researchers noted that one group in particular, QakBot, favors the HTML smuggling technique to get its malware onto the machines of end users. The group, which had gone on a hiatus during the summer, has begun ramping its activity back up.
"QakBot is a highly capable malware family that has been used by threat actors to steal data and deploy ransomware," the report noted.
"Notably, most of these new campaigns rely on HTML smuggling to infect systems, marking a move away from malicious Office documents as the preferred delivery mechanism for this malware family."
Finally, the team found that a retro approach to ransomware has been making a comeback. Magniber, known as a "single client ransomware" operation, makes its money not by targeting large organizations and demanding a multi-million dollar ransoms but instead by seeking out individual PCs, locking up the data and asking users for a $2,500 payout.
The technique harkens back to the early days of ransomware when individual machines were targeted en masse with hopes of getting a larger number of successful infections and ransom payments. Holland said the move to single client could catch on with other groups.
"Every threat actor has a different set of capabilities and resources that factor into what tactics, techniques and procedures they use," he explained.
"Targeting individuals with single-client ransomware like Magniber requires less expertise, so this style of attack may appeal to threat actors with less resources and know-how who are willing to accept lower ransoms from victims."