Threat actors increasingly using malicious virtual hard drives in phishing attacks

Threat actors are increasingly creating malicious virtual hard drives to distribute malware, in the hopes of getting around email gateways that have become good at detecting infected documents, spreadsheets, and PDFs, says a new study.

“While virtual hard drive files like .vhd and .vhdx are typically used for virtual machines, they can also be opened in Windows to mount the virtual image as if it were a physical volume,”  researchers at Cofense warned infosec defenders on Tuesday.

Phishing lures are sent to would-be victims with .zip archive attachments containing malicious virtual hard drive files, or embedded links to downloads that contain a virtual hard drive file that can be mounted and browsed through by a victim. The hope is that a victim can be misled into running a malicious payload.

Another tactic is to configure the virtual hard drive to automatically execute files in Windows via AutoRun. Starting with Windows Vista, however, files won’t run automatically; users are given a prompt asking for their approval.

The phishing campaigns seen this year all appear to be delivering the Remcos Remote Access Trojan (RAT) and/or the XWorm RAT, the study says.

The study also says that in one email campaign Cofense has seen, some malicious virtual hard drive files were able to get by gateways from Cisco Systems, FireEye, and Proofpoint. There were cases where the malicious file had a negative verdict (that is, the file was cleared), was scanned but not flagged as malicious, or was scanned but determined not to be spam.

Virtual hard drive files also seem to be effective at evading detection by most antivirus solutions, the study adds. In one Cofense test using the VirusTotal scanner, which includes 62 antivirus (AV) engines, only one tagged the malicious file.

It’s not that using malicious virtual hard drive files is new: In 2019, the study notes, a researcher tested one of these files against 59 AV engines in VirusTotal. Only four detected the file as malicious.

Infosec leaders need to add an alert about malicious virtual hard drives to their employee security awareness training, under the category of not clicking on unexpected attachments. From an employee’s point of view, the attachment would appear to be a document. Employees also need to be reminded not to allow the autorun command to execute without approval.

Telltale sign

Kahng An, a member of the Cofense Intelligence Team, said in an email interview that there’s a tell-tale sign of this kind of attack: “In general, virtual hard drive files are expected to be fairly large as they are intended to be storage volumes for large amounts of information,” he wrote. As a result, “particularly small virtual hard drive files should be treated with suspicion as they are likely not being used appropriately. Email typically isn’t a good medium for large file transfers either, so an attached virtual hard drive file should also be treated with suspicion regardless of its size.

“From a mitigation standpoint, it might be worth removing file associations for various virtual hard drive file extensions such as .vhd and .iso from most users’ workstations. The average user in an organization probably won’t ever have a legitimate reason to need to use virtual hard drive files, and those who do need access to them could have file associations restored as needed.”

So far this year, Cofense has seen threat actors use email campaigns containing virtual hard drives sent to several of its business customers. They included emails sent in May to employees at an unnamed bank with the subject line “2023 Tax supporting Documents.”

“I hope your break has been restful,” the message from the hacker read. “I have included the pdf version of some of my previous and current tax documents as requested via adobe secure link below. Kindly go through them so our phone conversation will be short and seamless. Smile!”

In June and July, an email campaign spoofed the logos of Canada Post and other postal services to deliver .zip archives containing a virtual hard drive purporting to be a package label photo. Recipients were told in the message that a package was unable to be delivered.

After the user opened the supposed package label on the virtual hard drive, a malicious Visual Basic Script file stored within a folder named faq would execute. The script delivered a DotNETLoader and XWorm RAT, which was in turn used to deliver the Remcos RAT.

A campaign targeting Spanish speaking victims had attached .zip archive files that purported to be a curriculum vitae. The archives included AutoRun files that would work on older versions of Windows. However, the study reiterated, malicious activities via AutoRun are heavily mitigated in versions of Windows since Vista, which was released in late 2006.