Cybercriminals are using virtual hard drives to drop RATs in phishing attacks

(Image credit: Shutterstock / Gorodenkoff)

Virtual hard drives are being abused in phishing campaigns, experts warn
The virtual drives are used to drop RAT malware into unsuspecting inboxes
The attack vector is particularly difficult of antivirus to detect

Mountable virtual hard drive files, typically in .vhd and .vhdx formats, allow users to create virtual volumes that function like physical drives in a Windows environment.

While these files have legitimate uses in software development and virtual machines, cybercriminals have increasingly exploited them to deliver malware, experts have warned.

Recent research by Cofense Intelligence has revealed such tools are now being used to bypass detection mechanisms like Secure Email Gateways (SEGs) and antivirus solutions to drop Remote Access Trojans (RATs).

The rising use of virtual hard drive files

This exploitation is particularly difficult to detect, even with sophisticated scanning tools employed by SEGs and antivirus solutions, as the malware remains hidden within the mounted files.

The latest campaign has shifted focus toward resume-themed phishing attacks targeting Spanish-speaking individuals. The emails contained .vhdx files that, when opened, executed Visual Basic Script to load the Remcos RAT into memory.

This campaign notably included autorun.inf files designed to take advantage of older versions of Windows that still support AutoRun capabilities, further demonstrating the attackers’ intention to exploit a wide range of potential victims with varying system setups.

AutoRun, a feature in older versions of Windows, allows a file to execute automatically when a volume is mounted. Attackers have often exploited this feature to run malicious payloads without user intervention in systems where AutoRun is enabled.

Although Windows Vista and later versions mitigate these risks by disabling automatic execution, users with outdated systems remain vulnerable to silent malware execution. Even without AutoRun, attackers can use AutoPlay to prompt victims into manually running the malicious payload, leveraging the human factor to bypass security controls.

Attackers were also able to bypass various SEGs by embedding malicious content within virtual hard drive files inside archive attachments, bypassing SEGs from major security vendors, such Cisco and Proofpoint.

Threat actors further complicate detection by manipulating file hashes within virtual hard drive files. By adding unnecessary filler data or modifying storage space allocation, they can create files that appear different in scans but still deliver the same malicious payload.

More from TechRadar Pro

These are the best firewalls
Using an AI PC may actually make users less productive — for now
Take a look at the best internet security suites

TOPICS

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com