The Perfect Disguise: Why Attackers Love Container Files
Compressed and container file formats have become increasingly popular vehicles for delivering malware. Among these formats, ISO images and archive files like ZIP, RAR, and 7z have emerged as particularly effective tools for cybercriminals. According to a 2023 HP Threat Research report, attacks using ISO and archive files increased by 67% in the past year, with ISO-based attacks growing at nearly twice the rate of other formats.
Archive and ISO files offer several significant advantages to attackers seeking to bypass security controls:
Security Blind Spots: Many email security solutions and antivirus programs struggle to effectively scan the contents of compressed or container files, particularly those using password protection or uncommon compression algorithms. Proofpoint research indicates that malware in password-protected archives is 36% less likely to be detected by standard security tools.
Mark-of-the-Web Bypass: When files are downloaded from the internet, Windows typically applies a “Mark-of-the-Web” (MOTW) flag that triggers additional security scrutiny. However, when users extract files from ISO images, the extracted contents do not inherit this flag. According to Microsoft Security Intelligence, 83% of ISO-based attacks explicitly exploit this MOTW bypass capability.
User Trust: Archive files are common in business environments, making them less likely to raise suspicion among users. A SANS Institute study found that users are 42% more likely to open archive attachments compared to other potentially suspicious file types.
The ISO Offensive
ISO files—originally designed as disc image formats—have become particularly valuable tools for malware delivery:
Increased Prevalence: Mandiant researchers observed a dramatic 475% increase in ISO-based attacks between 2021 and 2023, with these attacks becoming standard components in many ransomware delivery chains. The shift occurred as email security solutions became better at detecting traditional archive-based threats.
Multi-Stage Attacks: ISO files often serve as the first stage in complex attack chains. A typical attack might involve an email with a link to an ISO file that contains a malicious LNK file, which then executes PowerShell code to download the actual malware payload. According to IBM X-Force, ISO-based attack chains averaged 4.3 stages in 2023, up from 2.8 in 2022.
Notable Campaigns: Some of the most sophisticated malware distribution networks, including those deploying IcedID, BazarLoader, and QakBot, have pivoted to ISO files for initial delivery. CrowdStrike intelligence reported that 73% of BazarLoader campaigns in late 2023 used ISO files as their primary delivery mechanism.
Archive Tactics: The Compression Deception
While ISO files have seen the most dramatic growth, traditional archive formats continue to be widely used in malware campaigns:
Password-Protected Archives: By sending password-protected ZIP or RAR files with the password included in the email body or a separate message, attackers can bypass security solutions that can’t access the encrypted contents. Symantec observed that 64% of malicious archives in targeted attacks used password protection.
Nested Archives: Attackers often use multiple layers of compression—a ZIP file containing another ZIP file, which contains the actual malware. FireEye researchers found that 41% of archive-based attacks used at least two layers of nesting.
Uncommon Archive Formats: While ZIP is the most common archive format, attackers also use less common formats like 7z, CAB, or ACE files to evade security tools that might not thoroughly scan these types. A Trend Micro analysis showed that malware delivered via uncommon archive formats had a 28% higher successful infection rate.
Archive Bombs: These specially crafted archive files are designed to consume excessive system resources when extracted or scanned. They might contain millions of nested folders or use compression techniques that expand to terabytes of data. These “bombs” can cause security tools to time out or crash, allowing malware to slip through.
Hidden in Plain Sight: Disguise Techniques
Container files often conceal payloads that use additional deception techniques:
Icon Spoofing: Malicious executables are disguised with icons resembling common document types like PDFs or Word files. When extracted from an ISO or archive, these files appear legitimate at a glance. Kaspersky Lab found that 88% of executable files delivered via ISOs used deceptive icons.
Double Extensions: Files named “invoice.pdf.exe” or “document.docx.js” exploit Windows’ default behavior of hiding known file extensions. Users see only “invoice.pdf” and assume the file is a legitimate document. According to Proofpoint’s 2023 Threat Report, 76% of malicious files delivered via container formats used some form of extension manipulation.
LNK File Abuse: Windows shortcut (LNK) files have become particularly common in ISO-based attacks. These files can execute complex command sequences while appearing as simple shortcuts to legitimate applications. VMware Carbon Black observed that 59% of ISO-based attacks in 2023 used LNK files as their execution mechanism.
Real-World Attack Examples
Understanding how these attacks work in practice reveals their sophistication:
Emotet Campaign Structure: The notorious Emotet malware distribution network frequently uses a chain that begins with a phishing email containing a password-protected ZIP file. The ZIP contains a malicious Word document with macros that, when enabled, executes PowerShell code to download the actual Emotet payload.
QakBot ISO Chain: The QakBot banking trojan’s distribution method evolved to use ISO files containing shortcut files and DLL files. When the user opens the shortcut, it executes a command line that loads the malicious DLL using legitimate Windows tools like regsvr32.exe. According to Microsoft Defender data, this technique improved QakBot’s infection success rate by approximately 36%.
Building Your Defensive Perimeter
Organizations can implement several strategies to reduce the risk posed by ISO and archive-based malware:
Disable ISO and IMG Auto-Mounting: Windows 10 and 11 automatically mount ISO files when they’re opened. Disabling this feature through Group Policy can reduce risk. Organizations implementing this control saw a 41% reduction in successful ISO-based attacks, according to a SANS Institute survey.
Block High-Risk Extensions Post-Extraction: Blocking the execution of high-risk file types like .exe, .dll, .js, and .hta that have been extracted from container files can prevent many attacks. Gartner research indicates that organizations implementing this control experienced 67% fewer successful container-based attacks.
Implement Content Disarm and Reconstruction (CDR): Rather than trying to detect malicious elements, CDR technology rebuilds files into safe versions by removing potentially dangerous components. According to Forrester Research, organizations using CDR technology for handling container files experienced 83% fewer successful attacks compared to those using traditional sandbox technologies.
Enhanced User Training: Teaching users about the specific risks of container files and showing them how to identify suspicious ISOs and archives significantly reduces successful attacks. Companies with specialized training on container-based threats saw a 47% reduction in user-initiated infections, according to Proofpoint data.
The Container Evolution
As security tools improve at detecting ISO and common archive attacks, threat actors continue to evolve their techniques:
VHD and VHDX Files: Following the success of ISO-based attacks, some threat actors have begun shifting to Virtual Hard Disk (VHD/VHDX) files, which offer similar MOTW bypass capabilities. Microsoft Security Intelligence observed a 214% increase in malicious VHD/VHDX files in the latter half of 2023.
Cabinet Files: CAB files, Microsoft’s native archive format, are increasingly appearing in attacks due to their ability to be executed directly with legitimate Windows tools. Symantec reported a 157% increase in malicious CAB files over the past year.
By understanding these container-based attack techniques and implementing appropriate defenses, organizations can significantly reduce their vulnerability to these increasingly common and effective attack vectors.
