Security

Watch out for this zip file scam

by Marcus White
Published on 11th Aug 2022
Zip File 1003X223

Distributing malware through a . ZIP file isn’t anything new, so threat actors are using a new tactic in response to tightening cybersecurity measures across the globe. While most people know not to open an unexpected attachment, these malicious files are starting to pop up in email threads with trusted friends and colleagues — this makes them very easy to fall for.

Knowing that human error is often a weak link in cybersecurity defenses, attackers are gaining access to genuine email conversations in order to deliver malware through harmless-looking .ZIP files. This is why it’s more important than ever to remain vigilant. 

The malware is Qakbot, a password-stealing trojan that’s been around since 2008. The rise in Qakbot attacks over the last six months points to the adoption of these worryingly effective techniques. In order to fool the user, the .ZIP files tend to have very ordinary-sounding extension names, including Microsoft Office file formats. Hackers are mimicking these file types, enticing victims to download the file, which then installs the malware. The fake file extension names also mean that this malware is often able to evade cybersecurity filtering processes.

The evolution of cybercrime

It’s no surprise to IT experts that methods of cyberattackers are evolving all the time. "Cybercriminals are constantly updating their attacks to try to avoid detection and, ultimately, achieve their aims," Jack Chapman, VP of Threat Intelligence at Egress, told Lifewire recently. "So even if we don't know specifically what they'll try next, we know there will always be a next time, and that attacks are constantly evolving."

The methods of attack are increasingly subtle. Many people tend to think of these scams as being blatant and easy to avoid, but as technology becomes more sophisticated, those aiming to infiltrate it are never far behind. Threat actors are working hard to get what they want by employing increasingly insidious methods, like obfuscating code and taking advantage of multiple URLs – anything to slightly alter the steps towards infiltration in order to avoid suspicion. 

"Sophisticated cyberattacks are engineered to stand the best possible chance of reaching their targets," says Chapman. “These attacks leverage subtle techniques to avoid detection by traditional security technologies, such as using multiple URLs to deliver the payload and introducing new layers in the kill chain.”

Taking advantage of trust

Most users are good at not downloading an attachment they haven’t been expecting but when these .ZIP files form part of a natural conversation with a trusted contact, it’s easy to let that vigilance slip. Often, attackers will integrate the malicious attachment into replies within active email threads, making them seem harmless and as if they were there the entire time — plus, one would assume that a genuine email from a friend or colleague must be secure.

The trust that we place within our contacts and our inbox’s ability to sniff out anything suspicious is what threat actors are relying on to get Qakbot onto our devices. “There is evidence of sophisticated social engineering at play in these attacks,” says Chapman. “First, a double whammy of familiarity. By inserting replies into existing email threads, the cybercriminals are taking advantage of the pre-existing relationship and trust built between the people involved. 

“Plus, the use of common file types and extensions, such as .ZIP and Excel, results in recipients being less suspicious and more likely to open the attachments. Secondly, by giving the attachments ‘enticing’ names, they tempt the recipients to open them.

“This methodology is highly effective, which is why cybercriminals continue to use and evolve it. Cybercriminals who have the skills to create these attacks simply package them up and sell them to other, often less-skilled, attackers, along with detailed instructions on how to carry out the attacks. So, unfortunately, we can only expect more of these attacks in the future.”

How to avoid Qakbot

The best way to avoid falling for a dangerous Qakbot .ZIP file scam is through a personal verification process. Even if you believe you’re communicating with somebody you know, their account could be compromised and there’s a chance that what they’re sending is malicious. 

“So if they do send over an unexpected attachment, contact them another way (e.g. by phone) to verify that it’s legitimate,” Chapman suggests. 

If a user opens a phishing email or accidentally downloads a malicious attachment, it’s important they know the next steps and contact the IT team immediately. A solid IT contingency plan will ensure damage limitation. 

“As these attacks are targeting people at work, organizations have a responsibility to make sure they implement effective protocols against phishing attacks,” Chapman states. “Even if we don’t know specifically what they’ll try next, we know there will always be a next time and that attacks are constantly evolving.

“We can’t expect everyone to spot every phishing attack every time, which is why it is so important to leverage the correct technology and policies to support your people – and, effectively, kill the kill chain in delivery.”

Using natural language processing email security tools will help to defend against these attacks. If you’d like to find out how Egress can help, find out more here.