- Experts warn that virtual hard drives are being abused in phishing campaigns
- Virtual drives used to place RAT malware into unsuspecting inboxes
- This attack vector is particularly difficult to detect by antivirus software
Installable virtual hard disk files (usually in .vhd and .vhdx format) allow users to create virtual volumes that function similarly to physical disk drives in a Windows environment.
While these files have legitimate uses in software development and virtual machines, cybercriminals are increasingly using them to spread malwareexperts warn.
recent research Coffins Intelligence It has been revealed that such tools are now being used to bypass detection mechanisms such as Secure Email Gateways (SEGs). Antivirus software Solutions for removing Remote Access Trojans (RATs).
The use of virtual hard disk files continues to increase
Even with sophisticated scanning tools used by SEG and antivirus solutions, this exploit is particularly difficult to detect because the malware remains hidden within installed files.
The latest campaign has shifted its focus to resume-themed phishing attacks targeting Spanish-speaking individuals. These emails contain a .vhdx file which, when opened, executes a Visual Basic script to load the Remcos RAT into memory.
The campaign specifically includes the autorun.inf file, which is designed to exploit older versions of Windows that still support the AutoRun feature, further indicating that the attackers intend to exploit different system settings to exploit a variety of potential victims.
AutoRun is a feature in older versions of Windows that allows files to be automatically executed when mounting a disk. Attackers often exploit this feature to run malicious payloads on systems with autorun enabled, without user intervention.
Although Windows Vista and later versions mitigate these risks by disabling automatic execution, users with outdated systems are still vulnerable to silent malware execution. Even without autoplay, an attacker can use autoplay to prompt a victim to manually run a malicious payload, exploiting the human element to bypass security controls.
Attackers are also able to bypass various SEGs by embedding malicious content into virtual hard drive files within archive attachments, bypassing SEGs from major security vendors such as Cisco and Proofpoint.
Threat actors complicate detection by manipulating file hashes in virtual hard drive files. By adding unnecessary padding or modifying storage allocations, they can create files that appear differently in scans but still deliver the same malicious payload.