Virtualization Technology News and Information
Article
Search:
RSS
Follow VMblog.com:
Improve end user experience in VDI, DaaS and physical endpoint environments
HP Wolf Security report shows powerful combination of archive files and HTML smuggling is helping threat actors hoodwink detection tools

HP Inc. issued its third quarter HP Wolf Security Threat Insights Report, finding that archive file formats - such as ZIP and RAR files - were the most common file type for delivering malware, surpassing Office files for the first time in three years. This report provides an analysis of real-world cyberattacks, helping organizations to keep up with the latest techniques cybercriminals use to evade detection and breach users in the fast-changing cybercrime landscape.

Based on data from millions of endpoints running HP Wolf Security, the research found 44% of malware was delivered inside archive files - an 11% rise on the previous quarter - compared to 32% delivered through Office files such as Microsoft Word, Excel, and PowerPoint.

The report identified several campaigns that were combining the use of archive files with new HTML smuggling techniques - where cybercriminals embed malicious archive files into HTML files to bypass email gateways - to then launch attacks.

For example, recent QakBot and IceID campaigns used HTML files to direct users to fake online document viewers that were masquerading as Adobe. Users were then instructed to open a ZIP file and enter a password to unpack the files, which then deployed malware onto their PCs.

As the malware within the original HTML file is encoded and encrypted, detection by email gateway or other security tools is very difficult. Instead, the attacker relies on social engineering, creating a convincing and well-designed web page to fool people into initiating the attack by opening the malicious ZIP file. In October, the same attackers were also found using fake Google Drive pages in an ongoing effort to trick users into opening malicious ZIP files.

"Archives are easy to encrypt, helping threat actors to conceal malware and evade web proxies, sandboxes, or email scanners. This makes attacks difficult to detect, especially when combined with HTML smuggling techniques. What was interesting with the QakBot and IceID campaigns was the effort put in to creating the fake pages - these campaigns were more convincing than what we've seen before, making it hard for people to know what files they can and can't trust," explains Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc.

HP also identified a complex campaign using a modular infection chain, which could potentially enable attackers to change the payload - such as spyware, ransomware, keylogger - mid-campaign, or to introduce new features, like geo-fencing. This could enable an attacker to change tactics depending on the target they have breached. By not including malware directly in the attachment sent to the target, it is also harder for email gateways to detect this type of attack.

"As shown, attackers are constantly switching up techniques, making it very difficult for detection tools to spot," comments Dr Ian Pratt, Global Head of Security for Personal Systems, HP Inc. "By following the Zero Trust principle of fine-grained isolation, organizations can use micro-virtualization to make sure potentially malicious tasks - like clicking on links or opening malicious attachments - are executed in a disposable virtual machine separated from the underlying systems. This process is completely invisible to the user, and traps any malware hidden within, making sure attackers have no access to sensitive data and preventing them from gaining access and moving laterally."

HP Wolf Security runs risky tasks like opening email attachments, downloading files and clicking links in isolated, micro-virtual machines (micro-VMs) to protect users, capturing detailed traces of attempted infections. HP's application isolation technology mitigates threats that can slip past other security tools and provides unique insights into novel intrusion techniques and threat actor behavior. By isolating threats on PCs that have evaded detection tools, HP Wolf Security has specific insight into the latest techniques being used by cybercriminals. To date, HP customers have clicked on over 18 billion email attachments, web pages, and downloaded files with no reported breaches.

This data was anonymously gathered within HP Wolf Security customer virtual machines from July-September 2022.

Published Thursday, December 01, 2022 8:53 AM by David Marshall
Filed under: ,
Get This Featured White Paper: Multi-cloud Data Protection-as-a-service: The HYCU Protégé Platform
You may also be interested in this white paper: Exploring AIOps: Cluster Analysis for Events
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
CTE2023
CC2023
big-5g
DTX2023
connected-america
unified-communications
kubecon-eu-2023
disrupt2023
vExpert
Calendar
<December 2022>
SuMoTuWeThFrSa
27282930123
45678910
11121314151617
18192021222324
25262728293031
1234567