Spammers send out many millions of letters every day. In what files do cybercriminals most often hide viruses – and how to behave properly so as not to get infected. The lion’s share is banal advertising – annoying, but mostly harmless. But sometimes malicious files are attached to letters. To interest the recipient and force him to open a dangerous file, it is usually masked as something interesting, useful or important.
1. ZIP- and RAR-archives
Oh yeah, that’s their favorite format, because you can’t see what’s inside until you download and open it. Like the ZIP files with the intriguing title “Love You0891.” (the number may have been different) was used by attackers to distribute the GandCrab encryption device. It’s a extortion virus. It got on the computers, encrypted the data and asked for money to give the passwords from the encryption, otherwise it will delete everything. Other scammers, who came to the experts’ attention a couple of weeks later, were sending out archives with the Qbot Trojan, which specializes in data theft.
WinRAR: it turned out that when creating an archive, you can set such rules that when unpacking the content will get to the system folder. In particular, you can unpack this content into the folder of Windows autorun – and this “gift” will automatically start on the next reboot. That is, even if you downloaded and forgot about it, it will open without your knowledge. So you need to update WinRAR if you use it.
2. Microsoft Office
Also popular among cybercriminals are Microsoft Office files, especially Word documents (.doc, .docx), Excel spreadsheets (.xls, .xlsx, .xlsm), and presentations and templates. These files may contain embedded macros – small programs that run right inside the file.
Hackers used them, for example, as scripts to download malware. They are perfectly disguised as working documents. And 99% of people use them. It can be issued as a report, an urgent message from their superiors, an order, etc. For example, the same GandCrab encryptor was planted on Italian users under the guise of a payment notification. Yes GandCrab is a very tricky trojan, in 2019 it held 40% of the market of extortion programs.
3. ISO and IMG disk images
ISO and IMG files are not used very often compared to the previous types of attachments, but recently attackers are paying more and more attention to them. Such files – disk images – are actually virtual copies of CD, DVD or other disks. Inside the disk image there was a malicious executable file that was launched when you opened the disk and installed a spyware on the device. With the help of such attachments, the attackers delivered to the victims, for example, the Agent Tesla trojan, which specializes in identity theft.