- Cofense report claims threat actors manipulate extensions to evade SEG file filters effectively
- Multi-layered defenses are crucial for combating archive-based malware threats
- Employee awareness strengthens defenses against suspicious archive files
The use of archive files as malware delivery mechanisms is evolving, presenting challenges for Secure Email Gateways (SEGs), new research has claimed.
A recent report by Cofense highlights how cybercriminals exploit various archive formats to bypass security protocols, particularly following a significant update to Windows in late 2023. Traditionally, .zip files have been the most common archive format used in malware campaigns due to their ubiquity and compatibility across operating systems.
However, Microsoft’s introduction of native support for additional formats like .rar, .7z, and .tar has expanded the arsenal of formats used by threat actors. These newer formats now account for a growing share of malicious attachments observed in SEG-protected environments.
Why archives work as malware vectors
Password-protecting archives is a common tactic used by attackers, as it prevents automated tools from analyzing the file’s contents.
Between May 2023 and May 2024, Cofense identified 15 archive formats used in malware campaigns. While .zip files dominated, taking up to 50%, formats like .rar, .7z, and .gz surged in popularity, particularly after Microsoft’s update in late 2023.
Certain malware families have a preference for specific archive types. For example, StrelaStealer and NetSupport RAT are consistently delivered via .zip files. Other malware, such as information stealers and remote access trojans (RATs), leverage a range of formats depending on the attack method.
Password-protected archives pose an additional challenge for SEGs. While only about 5% of observed malicious archives were password-protected, these files often evade detection because SEGs struggle to differentiate passwords embedded in lure emails. This tactic, combined with embedded URLs leading to malware-hosting sites, enables attackers to sidestep traditional defenses.
To counter the growing threat of malware-laden archives, organizations are recommended to adopt a multi-layered defense strategy. Employee awareness is critical, as well-trained staff can identify suspicious files, particularly those with unusual extensions or deceptive double endings, such as “.docx.zip.”
Organizations should also restrict the use of archive formats that lack clear business purposes, like .vhd(x) files, which are rarely necessary for email communication. Furthermore, SEGs should be equipped with advanced capabilities to analyze actual file formats, detect discrepancies, and manage password-protected archives.
