Pie graph showing the vast number of different archives seen being used in SEG protected environments by Cofense between May 2023 and May 2024
A recent report from Cofense sheds light on how cybercriminals are exploiting various archive formats to bypass security protocols, particularly following a major Windows update at the end of 2023. Traditionally, .zip files have been the most commonly used archive format in malicious campaigns due to their ubiquity and compatibility across multiple operating systems.
With Windows now supporting .rar, .7z, and .tar formats, attackers have expanded their arsenal to evade email security defenses. These new formats are increasingly employed to stealthily distribute threats, claiming a growing share among malicious attachments.
One of the favored tactics of hackers remains password-protecting archives, which complicates the automated analysis of file contents. Between May 2023 and May 2024, Cofense identified 15 types of archive formats used in attacks. For instance, threats such as StrelaStealer and NetSupport RAT are predominantly spread through .zip files, while other trojans adapt to different formats.
Although only 5% of the archives used in attacks are password-protected, they frequently bypass security systems because the passwords are embedded within the email text, making them undetectable by scanning tools. These methods are often paired with links to websites hosting the malware.
Experts emphasize the importance of raising employee awareness about suspicious attachments and limiting the use of archives without clear business purposes, such as .vhd(x) files. Additionally, updating security systems to effectively analyze archive contents and handle protected files is crucial in countering these evolving threats.
