Criminals are using a virtual hard disk image file to host and distribute dangerous malware

News
By published

Newly discovered phishing campaign utilizes a unique file type to spread

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)
  • Forcepoint observes new phishing campaign distributing virtual hard disk files
  • The files bypass security protections to deploy the VenomRAT
  • Victims end up losing sensitive data, so be on your guard

Criminals are now using virtual hard disk image files to host and distribute dangerous malware, researchers from Forcepoint are saying.

In an in-depth analysis, Forcepoint said it observed a phishing campaign, themed as a purchase order. In the attachment of the email is an archive which, when extracted, shows a hard disk Image file (.VHD).

When the victim opens the file, it mounts itself as a hard drive, and runs a batch script that includes a series of obfuscations including garbage characters, Base64 and AES encryption files. The .BAT file drops the Venom Remote Access Trojan (RAT) and spawns a PowerShell script that uses the Pastebin service to host C2 and exfiltrate stolen data.

Working around security solutions

Forcepoint’s Prashant Kumar said the threat actors opted for a VHD file to work around any email security, or endpoint protection solutions the target may have installed on their device.

“Threat actors always like to find new ways to deliver malware undetected to target large communities,” Kumar said. “I’ll cover a current technique threat actors use to bypass security measures, deliver malware, infect systems and exfiltrate data—all by using a virtual hard disk image file to host and distribute the VenomRAT malware.”

VenomRAT is a type of Trojan that allows cybercriminals to take full control of an infected system. Once installed, it enables attackers to execute commands remotely, steal sensitive information, and manipulate the victim's computer without their knowledge. It is commonly used for keylogging and extracting saved credentials from web browsers and applications.

This malware is also capable of capturing screenshots and activating webcams, employs various persistence mechanisms, and can deploy additional malware. Because of its powerful capabilities, VenomRAT is often distributed through phishing emails, malicious downloads, and exploit kits that target system vulnerabilities.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.