We explain which file types cybercriminals most often use to hide malware and how you can avoid infection.
Spammers send billions of messages every day, most of which are banal advertisements - annoying, but basically relatively harmless. Every now and then, however, malicious files get attached to these harmless emails.
In order to trick the recipient into opening a dangerous message, it is usually disguised as interesting, useful or important: For example, as a work document, an irresistible offer, a gift card bearing the logo of a well-known company or the like.
In this post, we would like to take a look at the top 4 most popular and dangerous malware hiding file attachments.
1. ZIP and RAR archives
Cybercriminals love to hide malware in archives. For example, ZIP files with the enticing name "Love_You0891" (the respective ending digit varied) were used by attackers to spread GandCrab randsomware among users on the eve of Valentine's Day. A few weeks later, more scammers were spotted sending archives with the Qbot Trojan (specialized in data theft).
In addition, an interesting WinRAR feature was discovered this year. When creating an archive, rules can be set to unpack the contents in the system folder. In particular, content can be moved to the Windows Startup folder so that it will inevitably be run the next time the computer is rebooted. Therefore, we recommend WinRAR users to update the packing program immediately to fix this issue.
2. Microsoft Office documents
Microsoft Office files, especially Word documents (.doc, .docx), Excel spreadsheets (.xls, .xlsx, .xlsm), presentations and templates are particularly popular with cybercriminals; these files can contain so-called macros - small programs that run inside the file - which cybercriminals use as scripts to download malware.
Most often, such attachments are targeted at office workers and are disguised as contracts, invoices, tax notifications or urgent messages from the management. For example, a banking Trojan called Ursnif was foisted on Italian users under the guise of a payment request. Once the victim opened the file and agreed to activate the required macros (disabled by default for security reasons), a Trojan was downloaded to the computer.
3. PDF files
In addition, cybercriminals have a particular penchant for hiding phishing links in PDF documents. In one spam campaign, for example, scammers asked users to visit a "secure" page, where they were then prompted to log in to their American Express account. At this point, it is probably unnecessary to mention that their login credentials were immediately forwarded to the scammers.
4. ISO and IMG disk images
Compared to the previous types of attachments, ISO and IMG files are very rarely used. However, cybercriminals have been paying much more attention to them recently than before. These so-called disk images are basically a copy of a CD or DVD.
Attackers used a disk image to smuggle malware - such as the Agent Tesla Trojan, which specializes in data theft - onto victims' computers. The image contained a malicious executable file, which then activated and installed spyware on the computer. In some cases, the cybercriminals curiously even used two attachments (an ISO attachment and a DOC attachment); presumably to be on the safe side.
How to properly deal with potentially malicious attachments
Moving all messages with an attached archive or .docx or .pdf file to the spam folder would actually be too much of a good thing. To outsmart scammers, remember a few simple rules instead:
Do not open suspicious emails from unknown senders. If you do not know why a message with a specific subject landed in your inbox, you should simply ignore it.
If your work involves correspondence from strangers, you should first check the sender's email address and the name of the attached file. If something seems strange to you, you should not open the attachment under any circumstances.
Do not allow macros to run in documents you receive via email unless you are sure it is absolutely necessary.
Treat all links within a message or file with caution. If you don't quite understand why you are being asked to open a link, simply ignore it. Otherwise, you can simply type the website link into your browser manually.
Use a reliable security solution that will inform you about dangerous files, block them and also send you a warning message as soon as you try to open a suspicious page.