Malware authors tend to prefer specific types of file attachments in their campaigns to distribute malicious content. During our routine threat landscape monitoring in the last three months, we observed some interesting patterns about the attachment types that are being used in various campaigns.
In February and March, we saw huge spam campaigns using ZIP files to send out GandCrab ransomware, and DOC and XLSM files to distribute Trickbot banking trojan. In the same time period, we saw a similarly large campaign targeting American Express, and a ‘Winner’ scam, both using PDF file attachments.
We also noticed a new trend of disc image files (ISO and IMG) being used to spread malware, with a few small campaigns distributing AgentTesla InfoStealer and NanoCore RAT.