A Windows file type update can involve complicated cyber threat detection efforts
- The Cofense report claims that threat actors are manipulating extensions to effectively bypass SEG file filters
- Multi-layered defenses are crucial for combating archive-based malware threats
- Employee awareness strengthens defenses against suspicious archive files
The use of archive files as malware delivery mechanisms is evolving, posing challenges for Secure Email Gateways (SEGs), new research shows.
A recent report from Cofense highlights how cybercriminals are abusing various archive formats to bypass security protocols, especially after a major update to Windows in late 2023. Traditionally, .zip files have been the most common archive format used in malware campaigns due to their ubiquity and compatibility between operating systems.
However, Microsoft’s introduction of native support for additional formats such as .rar, .7z, and .tar has expanded the arsenal of formats used by threat actors. These newer formats are now responsible for a growing share of malicious attachments observed in SEG-protected environments.
Why archives act as malware vectors
Password-protecting archives is a common tactic used by attackers because it prevents automated tools from analyzing the file’s contents.
Between May 2023 and May 2024, Cofense identified 15 archive formats used in malware campaigns. While .zip files dominated and took up to 50%, formats like .rar, .7z and .gz became extremely popular, especially after Microsoft’s late 2023 update.
Certain malware families have a preference for specific archive types. For example, StrelaStealer and NetSupport RAT are consistently delivered via .zip files. Other malware, such as information stealers and remote access trojans (RATs), use a range of formats depending on the attack method.
Password-protected archives present an additional challenge for SEGs. Although only about 5% of observed malicious archives were password protected, these files often evade detection as SEGs struggle to distinguish passwords embedded in decoy emails. This tactic, combined with embedded URLs that lead to malware-hosting sites, allows attackers to bypass traditional defenses.
To combat the growing threat of malware-laden archives, organizations are advised to adopt a multi-layered defense strategy. Employee awareness is critical, as well-trained staff can identify suspicious files, especially those with unusual extensions or misleading duplicate endings, such as ‘.docx.zip’.
Organizations should also limit the use of archive formats that have no apparent business purpose, such as .vhd(x) files, which are rarely needed for email communications. In addition, SEGs must be equipped with advanced capabilities to analyze actual file formats, detect discrepancies, and manage password-protected archives.