01 NOVEMBER 2018

Same Old File Types, Brand New Spam Campaigns

Spam and phishing campaigns remain a firm favourite infection vector for malicious actors but cybercriminals appear to be expanding the file types they abuse in an effort to find more effective ways to distribute malware.

Spam and phishing campaigns remain a firm favourite infection vector for malicious actors – in fact, they make up more than 48% of all email traffic worldwide according to data collected between January 2014 and March 2018. However, as cyber security defences continue to improve and users become more aware of spam and phishing tactics cyber criminals are looking for more effective ways to distribute malware through these campaigns.

The most common file types used in malware-related spam campaigns are .XLS, .PDF, .JS, .VBS, .DOCX, .DOC, .WSF, .XLSX, .EXE, and .HTML. But, Trend Micro researchers have recently encountered threats being packaged inside old, yet rarely used, file types in spam campaigns to deliver info-stealing malware or a backdoor.

.ARJ files

ARJ stands for “Archived by Robert Jung,”, it is a file archiver similar to the ‘.ZIP’ developed in the mid-1990’s for DOS and Windows. Although rarely used anymore, it was always generally less popular than it’s competitor ‘.zip’, the ARJ archive is still supported by compression. WinRAR can decompress it, and so can the popular free applications like 7-Zip.

A campaign recently sent out 7,000 malicious files in this format pertaining to be financial documents. After the malicious ‘.ARJ’ file has been downloaded to the victim’s device, it may drop and execute a plain executable file or an executable screensaver file. The payload is spyware designed to steal system information and grab credentials from browsers, and email service platforms.

Screen Capture of Spam Email with Malicious ‘.ARJ’ File Attachment

Trend Micro Security Intelligence Blog

.Z files

Cybercriminals also use ‘.Z’ files maliciously. Unfortunately, the danger of falling victim is higher here because attachments appear to have a double file extension (such as .PDF.z) and so users may be tricked into thinking that they’re opening a PDF instead of a ‘.Z’ file.

‘.Z’ is a compressed archive file used with Unix-based systems, commonly used when creating a compressed archive to magnetic tape for backup purposes. ‘.Z’ files can be opened by most current compression software, including Winzip (Windows) and Tar (Unix/Linux).

Like the ‘.ARJ’ file, the archive file may contain a plain ‘.exe’ file and an executable screensaver file. However, the payload in the spam campaign using this archive format is a backdoor that allows the attacker to open, rename, upload and delete files in an affected computer, log keystrokes, and even capture images and voice using the computer’s camera and microphone.

 

Screenshot of Fake Purchase Order with Malicious ‘.Z’ File Attachment

Trend Micro Security Intelligence Blog

Thanks, you've successfully been subscribed. Keep an eye on your inbox for our next email!