Archive files such as RAR and ZIP are now more often used for malware distribution than regular Office documents such as Word and PDF. The growth in the use of archive files last quarter alone is 11%. For years, attackers have exploited descriptive functionality in Office documents to download and execute malicious content. Because this scripting functionality is increasingly being disabled in Office, cybercriminals found another method. Research by HP Wolf Security shows that archive files now make up 44% of the files used to install malware. Office documents also make up 32%. This puts archive documents in the first place. Security solutions struggle to properly check archive files for various reasons.
Archive files are often password protected. This prevents security solutions from opening the file and scanning it for dangerous content. Cybercriminals know this and play to build trust through clever use of social engineering and legitimate-looking websites. Once a user has confidence in a cybercriminal’s website or email, he will be more likely to open the archive file. Cyber criminals often use websites or HTML files to redirect users to fake online document viewers. In the original HTML file, the malware is encoded and encrypted, making it impossible for detection by email gateways or other security programs. From that document viewer, users are then asked to open an archive file with a specific password so that the document (searched by the user) can be opened. When opening the archive file, the malware is placed.
