A Windows filetype update may have complicated cyber threat detection efforts

(Image credit: Shutterstock / Belozersky)

Cofense report claims threat actors manipulate extensions to evade SEG file filters effectively
Multi-layered defenses are crucial for combating archive-based malware threats
Employee awareness strengthens defenses against suspicious archive files

The use of archive files as malware delivery mechanisms is evolving, presenting challenges for Secure Email Gateways (SEGs), new research has claimed.

A recent report by Cofense highlights how cybercriminals exploit various archive formats to bypass security protocols, particularly following a significant update to Windows in late 2023. Traditionally, .zip files have been the most common archive format used in malware campaigns due to their ubiquity and compatibility across operating systems.

However, Microsoft’s introduction of native support for additional formats like .rar, .7z, and .tar has expanded the arsenal of formats used by threat actors. These newer formats now account for a growing share of malicious attachments observed in SEG-protected environments.

Why archives work as malware vectors

Password-protecting archives is a common tactic used by attackers, as it prevents automated tools from analyzing the file’s contents.

Between May 2023 and May 2024, Cofense identified 15 archive formats used in malware campaigns. While .zip files dominated, taking up to 50%, formats like .rar, .7z, and .gz surged in popularity, particularly after Microsoft’s update in late 2023.

Certain malware families have a preference for specific archive types. For example, StrelaStealer and NetSupport RAT are consistently delivered via .zip files. Other malware, such as information stealers and remote access trojans (RATs), leverage a range of formats depending on the attack method.

Password-protected archives pose an additional challenge for SEGs. While only about 5% of observed malicious archives were password-protected, these files often evade detection because SEGs struggle to differentiate passwords embedded in lure emails. This tactic, combined with embedded URLs leading to malware-hosting sites, enables attackers to sidestep traditional defenses.

To counter the growing threat of malware-laden archives, organizations are recommended to adopt a multi-layered defense strategy. Employee awareness is critical, as well-trained staff can identify suspicious files, particularly those with unusual extensions or deceptive double endings, such as “.docx.zip.”

Organizations should also restrict the use of archive formats that lack clear business purposes, like .vhd(x) files, which are rarely necessary for email communication. Furthermore, SEGs should be equipped with advanced capabilities to analyze actual file formats, detect discrepancies, and manage password-protected archives.

These are the best antivirus software services
Take a look at our guide to the best endpoint protection
Ransomware attackers leak stolen Rhode Island private info following hack

TOPICS

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com