{"id":13371,"date":"2019-05-31T09:00:33","date_gmt":"2019-05-31T05:00:33","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/top4-dangerous-attachments-2019\/13371\/"},"modified":"2019-11-15T15:22:16","modified_gmt":"2019-11-15T11:22:16","slug":"top4-dangerous-attachments-2019","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/top4-dangerous-attachments-2019\/13371\/","title":{"rendered":"Top 4 dangerous file attachments"},"content":{"rendered":"

Spammers send billions of messages every single day. It is mostly trite advertising\u00a0\u2014 annoying, but generally harmless. But every once in a while, there is a malicious file attached to one of the messages.<\/p>\n

To provoke the recipient into opening a dangerous file, it is usually masked as something interesting, useful, or important: a work document, a great offer, a gift card bearing the logo of a well-known company<\/a>, and so on.<\/p>\n

Malware distributors have their own \u201cpet\u201d formats. In this post we explore this year\u2019s top malware-hiding files<\/a>.<\/p>\n

1. ZIP and RAR archives<\/h2>\n

Cybercriminals love to conceal malware in archives. For example, ZIP files teasingly titled Love_You0891 (the number varied) were used by attackers to distribute GandCrab ransomware<\/a> on the eve of St. Valentine\u2019s Day. Other scammers were sighted a couple of weeks later sending archives with the Qbot Trojan<\/a>, which specializes in stealing data.<\/p>\n

This year also saw the discovery of an interesting WinRAR feature. When creating an archive, it turns out, one can set up rules to unpack the contents into the system folder. In particular, contents can go into the Windows startup folder, causing them to start at the next reboot. Therefore, we recommend that WinRAR users update it immediately to fix this<\/a>.<\/p>\n

2. Microsoft Office documents<\/h3>\n

Microsoft Office files, especially Word documents (DOC, DOCX), Excel spreadsheets (XLS, XLSX, XLSM), presentations, and templates, are also popular with cybercriminals. These files can contain embedded macros<\/a>\u00a0\u2014 small programs that run inside the file. Cybercriminals use macros as scripts for downloading malware.<\/p>\n

Most often, these attachments target office workers. They are disguised as contracts, bills, tax notifications, and urgent messages from senior management. For example, a banking Trojan that goes by the name Ursnif<\/a> was foisted on Italian users under the guise of a payment notice. If the victim opened the file and agreed to enable macros (disabled by default for security reasons), a Trojan was downloaded onto the computer.<\/p>\n

3. PDF files<\/h3>\n

Many people know about the dangers of macros in Microsoft Office documents, but they are often less aware of booby traps in PDF files. Nevertheless, PDFs can conceal malware. The format can be used to create and run JavaScript<\/a> files.<\/p>\n

What\u2019s more, cybercriminals are fond of hiding phishing links in PDF documents. For example, in one spam campaign, fraudsters encouraged users to go to a \u201csecure\u201d page where they were asked to sign into their American Express account. Needless to say, their credentials were immediately forwarded to the scammers.<\/p>\n

4. ISO and IMG disk images<\/h3>\n

In comparison with the previous types of attachments, ISO and IMG files are not used very often. Cybercriminals have been paying increasing attention to them of late, however. Such files\u00a0\u2014 disk images\u00a0\u2014 are basically a virtual copy of a CD, DVD, or other disk.<\/p>\n

Attackers used a disk image to deliver to victims\u2019 computers malware such as the Agent Tesla Trojan, which specializes in stealing credentials. Inside the image was a malicious executable file that, when mounted, activated and installed spyware on the device. Curiously, in some cases, the cybercriminals used two attachments (an ISO and a DOC) together, apparently as a fail-safe.<\/p>\n\n

How to handle potentially dangerous attachments<\/h3>\n

Consigning all messages with an attached archive or DOCX\/PDF file to the spam folder would be overkill. Instead, to outfox scammers, remember a few simple rules:<\/p>\n