A Microsoft Surface Pro 4 sits on display at a media event for Microsoft products on Oct. 6, 2015, in New York City. (Photo by Andrew Burton/Getty Images)

HP Wolf Security on Thursday reported in its Q3 report that archives have become the most popular file type for delivering malware, seeing an 11% growth in samples isolate compared with Q2, overtaking Office formats for the first time.

The HP report found that attackers are bypassing perimeter network security controls such as email scanners by encrypting malicious payloads inside archives and HTML files. They then rely on social engineering techniques — mainly via email — to lure in unsuspecting victims.

What's really notable in this HP report is that Office formats have now been overtaken by archive files as the most popular file type for delivering malware, said Adrien Gendre, chief tech and product officer at Vade. Gendre said the change is likely caused by the intense spike that threat research teams across the industry have seen in downloads and executions of the QakBot malware.

“The new technique also reinforces the increased sophistication we've seen from threat actor groups in 2022,” Gendre said. “They're becoming more innovative at bypassing defenses like virus scanners and sandboxing and doing their homework to create extremely convincing, complex social-engineering techniques that make it into users' inboxes.”

James Quinn, malware analyst at Intel 471, explained that the technique of "hiding" malicious files in HTML is not new. For example, Quinn said the threat actors behind Hancitor used this technique to "hide" malicious Word documents in 2021. It's just another technique for breaking automated analysis pipelines and bypassing security tools.

“We believe the HTML files described by HP are generated using a toolkit,” Quinn said. “Some campaigns we have observed use several randomly generated passwords (protecting the zip archives). The use of several different passwords in a single campaign suggests that the build process for these payloads is automated, i.e. a builder tool or script creates the final HTML and potentially also intermediary payloads.”

Quinn added that another clue is that they have observed several disparate threat actors using the same technique, suggesting that a single threat actor has been offering a service or tool to other threat actors that use this tool in their spreading campaigns. Besides the Qbot and IcedID (aka Bokbot) campaigns, Quinn said they have also seen the same HTML smuggling technique used to spread Bumblebee.

“Despite the apparent success in bypassing security controls, this technique has drawbacks, as well,” Quinn said. “The end user has to jump through several hoops to make this attack work. They must unzip the payload using the provided password, find the malicious ISO file that is extracted, mount the ISO image and finally browse to the script/document to open it. The threat actors behind this new tool continue to refine the technique and add new features. The latest iteration uses Javascript in the HTML payload to only move to the next stage when mouse-movement is detected.”

Mike Parkin, senior technical engineer at Vulcan Cyber, said there are some interesting trends here with threat actors finding new techniques to bypass email gateway protections, and spam filters, but the takeaway is that they are still heavily leveraging social engineering against the users to land their attacks. 

Parkin said almost 70% of the attacks in this report are through email, which does imply there’s still room for improvement on the email defense side with a need to identify and stop the latest bypass techniques. 

“Though ultimately these attacks require user interaction to succeed, so user awareness and education remains vital,” Parkin said. “The report isn't specific enough for me to really give any more depth on the technique than what's already there. The general idea behind encrypting payloads, separate from encrypting the target's files with ransomware, is that conventional tools can't check the archive for malware.  It has to either let it through or block it specifically because it can't be checked.”