Compression File Formats of the past Come Haunting in Spam Campaigns

[nir]

Some ancient filetypes are making a comeback due to unwanted attention from cybercriminals looking for more effective ways to hide malware distributed through spam campaigns.

 

Specifically, two archives that today are mostly seen on computers of nostalgic geeks or professionals working with old files, have been used recently in spam campaigns to deliver info-stealing malware or a backdoor.

 

The popular file extensions for hiding malware include types that support embedding code or commands in a form or another, like the Microsoft Office documents with macros.

 

Researchers at Trend Micro spotted email malicious activity involving ARJ (Archived by Robert Jung) and Z data compression formats, which back in the days used to be worthy candidates for the archive types preferred by the users.

 

The campaign relying on the ARJ format (as old as the 90s) to compromise computers sent out about 7,000 malicious files. The pretext for tricking the email recipient to open the message lay in the subject line, which announced financial documents inside.

 

 

According to the experts, the malware at the end of the path is designed to steal system information, grab credentials from browsers, and email service platforms.

 

Although rarely used anymore, the ARJ archive is still supported by compression. WinRAR can decompress it, and so can the popular free applications like 7-Zip.

 

Things are similar with the Z compression format, only the danger of the user falling for the trick is greater than with ARJ.

Attaching double extensions to malicious files is an old trick that works great with a single letter file format.

 

The payload in the spam campaign using this archive format is a backdoor that allows the attacker to "open, rename, upload and delete files in an affected computer, log keystrokes, and even capture images and voice using the computer’s camera and mic," the researchers discovered.

 

Earlier this year a security expert found a different campaign that used the Z archive to deliver the DarkComet remote access trojan using the PDF.Z double extension tactic.

Previous tactics not abandoned

Other methods for hiding malware and bypassing antivirus products are still active. Attaching the IQY (Excel Web Query) format to other file types is a method that took off earlier this year and continues in newer spam campaigns.

Trend Micro noticed this tactic in the latest malspam waves where IQY with instructions to drop malware was embedded into PDF files.

PUB (Microsoft Publisher) types with macros are also preferred, as is SettingConten.ms - the Windows Settings shortcut extension, to execute malicious code on the system.

Source