Malware spreads by CAB e-mail attachments to evade ZIP/RAR filters

Over the past number of years, one very common way Malware is distributed is by e-mail attachment inside a Zip or RAR file. The reason for this method of distribution is simple. There is no straight forward method of blocking Zip or RAR attachments containing executable files in most e-mail clients such as Outlook without blocking all Zip and RAR attachments. Most Antivirus products ignore executable files in such archives unless they are a positive detection. Some mail servers including Office 365 Small Business cannot block such attachments either.

With the high frequency of such infections, many organisations have decided to block Zip and RAR files altogether, so the Malware distributors started turning to using download links. The problem with such links is that malicious files need to go through several layers of screening including Internet Explorer’s default blocking of seldom downloaded files. Now Malware creators are trying other types of file attachments that can run executable code.

One recent method is the return of Macro infections which can be executed from Word and Excel files. Another method we just saw today is the use of another type of archive, a CAB file:

E-mail with infected CAB file

A CAB file is a compressed archive similar to a Zip file which is normally used to compress software installation files into a single CAB file or across multiple CAB files. Like the Zip format, Windows can natively open CAB files in the same way as a ZIP file:

CAB infection open

In this example, I have Windows set to show file extensions of known file types and the file inside this archive is clearly not a document or picture. It has a screensaver file extension ‘.scr’, which runs just like an ‘.exe’ executable file.

Users that are familiar with executable file types in Zip files will probably not fall for this one, however, as many organisations have been blocking all Zip and RAR file attachments for some time, this CAB format will likely get through rules that check specific file extensions and users who have not encountered infected Zip and RAR attachments in the past will probably get caught out.

With this new tactic, it is not surprising to find out that the infection contained has been tweaked to evade most Antivirus products, at least at this time of checking with VirusTotal:

Cab virus

Just one fairly obscure antivirus product Tencent detected this a positive infection and the choice of infection is of no surprise, so we know just how serious this one is. The CTB Locker is a Ransomware infection that works like the infamous Cryptolocker infection. It encrypts all photos, Word and Excel files and then gives the user 96 hours to pay a ransom to decrypt the files before the remotely stored decryption key is destroyed.