Hackers Use Archive Files and HTML Smuggling to Bypass Detection Tools

Written by

Attackers have been increasingly encrypting malware in archives before releasing it in the wild. 

According to HP Wolf Security’s latest Threat Insights Report Q3 2022, 44% of malware was delivered via archive files in the third quarter of 2022, an 11% increase from the previous quarter and substantially more than the 32% delivered through Office files.

The research document, published by HP on Thursday, confirmed the team identified several campaigns in Q3 that combined archive files with new HTML smuggling techniques (e.g., embedding malicious archive files into HTML files to bypass email gateways) to launch attacks.

“The technique of ‘hiding’ malicious files in HTML is not new,” explained James Quinn, malware analyst at Intel 471. “For example, the threat actors behind Hancitor used this technique to ‘hide’ malicious Word documents in 2021.”

At the same time, Quinn added they believe the HTML files described by HP are generated using a toolkit, as some campaigns observed by Intel 471 used several randomly generated passwords to protect the ZIP archives.

“The use of several different passwords in a single campaign suggests that the build process for these payloads is automated, i.e., a builder tool or script creates the final HTML and potentially also intermediary payloads.”

The HP report directly mentions QakBot and IceID campaigns that relied on HTML files to direct users to fake online document viewers disguised as Adobe. Victims were then prompted to open a ZIP file and insert a password to unpack the files, which deployed malware onto their PCs.

Commenting on the new figures, Mike Parkin, senior technical engineer at Vulcan Cyber, said the report shows interesting trends.

“Threat actors [are] finding new techniques to bypass email gateway protections, spam filters, etc., but the takeaway is that they are still heavily leveraging social engineering against the users to land their attacks,” the executive told Infosecurity.

“Almost 70% of the attacks in this report are through email, which does imply there is still room for improvement on the email defense side with a need to identify and stop the latest bypass techniques,” Parkin added.

“Though, ultimately, these attacks require user interaction to succeed, so user awareness and education remain vital.”

For additional information about security threats in Q3 2022, the HP Wolf Security report is available here. Its publication comes two months after research published by WatchGuard suggested an increase in encrypted malware in the second quarter of 2022.

What’s hot on Infosecurity Magazine?