RAR and ZIP most commonly used files
The past year has seen a turnaround with regard to the dangerous files associated with malware. Archive files such as RAR and ZIP are now more commonly used for malware distribution than Office documents such as Word and PDF. For years, attackers have been exploiting scripting functionality in Office documents to download and execute malicious content. Because this scripting functionality is increasingly being disabled in Office, cybercriminals have found another method, which is via archive files. Research from HP Wolf Security shows that archive files now make up 44% of files used to install malware. Office documents also make up 32%. This means that archival documents come first. Security solutions struggle to properly check archive files for various reasons.
Reason for increased use of RAR and ZIP files
Archive files are often password protected. This prevents security solutions from opening the file and scanning it for dangerous content. Cybercriminals know this and try to build trust through clever use of social engineering and legitimate-looking websites. Once a user trusts a cybercriminal's website or email, they are more likely to open the archive file. Cyber criminals often use websites or HTML files to redirect users to fake online document viewers. In the original HTML file, the malware is coded and encrypted, making it impossible for detection by email gateways or other security programs. From that document viewer, users are then prompted to open an archive file with a specific password, so that the document (searched for by the user) can be opened. Upon opening the archive file, the malware is placed.