Cybercriminals use virtual hard drives to drop RATs in phishing attacks
- Virtual hard drives are being abused in phishing campaigns, experts warn
- The virtual drives are used to deliver RAT malware into unsuspecting inboxes
- The attack vector is extremely difficult to detect by antivirus programs
Mountable virtual hard disk files, usually in .vhd and .vhdx formats, allow users to create virtual volumes that function like physical disks in a Windows environment.
While these files have legitimate uses in software development and virtual machines, cybercriminals have increasingly abused them to spread malware, experts warn.
Recent research from Cofense Intelligence has revealed that such tools are now being used to bypass detection mechanisms such as Secure Email Gateways (SEGs) and antivirus solutions to remove Remote Access Trojans (RATs).
The increasing use of files on virtual hard drives
This exploitation is extremely difficult to detect, even with advanced scanning tools used by SEGs and antivirus solutions, because the malware remains hidden in the associated files.
The latest campaign has shifted the focus to resume-themed phishing attacks targeting Spanish-speaking individuals. The emails contained .vhdx files that, when opened, executed Visual Basic Script to load the Remcos RAT into memory.
Notably, this campaign included autorun.inf files designed to take advantage of older versions of Windows that still support AutoRun capabilities, further demonstrating the attackers’ intent to target a wide range of potential victims with different system configurations. abuse.
AutoRun, a feature in older versions of Windows, allows a file to run automatically when a volume is mounted. Attackers have often abused this feature to execute malicious payloads without user interaction on systems with AutoRun enabled.
Although Windows Vista and later versions mitigate these risks by disabling automatic execution, users with legacy systems remain vulnerable to silent malware execution. Even without AutoRun, attackers can use AutoPlay to trick victims into manually executing the malicious payload, taking advantage of the human factor to bypass security controls.
Attackers were also able to bypass several SEGs by embedding malicious content in virtual hard drive files in archive attachments, bypassing SEGs from major security vendors such as Cisco and Proofpoint.
Threat actors further complicate detection by manipulating file hashes within files on the virtual hard drive. By adding unnecessary padding data or changing storage allocation, they can create files that look different on scans but still deliver the same malicious payload.