- Virtual hard drives are being abused in phishing campaigns, experts warn
- The virtual drives are used to drop RAT malware into unsuspecting inboxes
- The attack vector is particularly difficult of antivirus to detect
Mountable virtual hard drive files, typically in .vhd and .vhdx formats, allow users to create virtual volumes that function like physical drives in a Windows environment.
While these files have legitimate uses in software development and virtual machines, cybercriminals have increasingly exploited them to deliver malware, experts have warned.
Recent research by Cofense Intelligence has revealed such tools are now being used to bypass detection mechanisms like Secure Email Gateways (SEGs) and antivirus solutions to drop Remote Access Trojans (RATs).
The rising use of virtual hard drive files
This exploitation is particularly difficult to detect, even with sophisticated scanning tools employed by SEGs and antivirus solutions, as the malware remains hidden within the mounted files.
The latest campaign has shifted focus toward resume-themed phishing attacks targeting Spanish-speaking individuals. The emails contained .vhdx files that, when opened, executed Visual Basic Script to load the Remcos RAT into memory.
This campaign notably included autorun.inf files designed to take advantage of older versions of Windows that still support AutoRun capabilities, further demonstrating the attackers’ intention to exploit a wide range of potential victims with varying system setups.
AutoRun, a feature in older versions of Windows, allows a file to execute automatically when a volume is mounted. Attackers have often exploited this feature to run malicious payloads without user intervention in systems where AutoRun is enabled.
Although Windows Vista and later versions mitigate these risks by disabling automatic execution, users with outdated systems remain vulnerable to silent malware execution. Even without AutoRun, attackers can use AutoPlay to prompt victims into manually running the malicious payload, leveraging the human factor to bypass security controls.
Attackers were also able to bypass various SEGs by embedding malicious content within virtual hard drive files inside archive attachments, bypassing SEGs from major security vendors, such Cisco and Proofpoint.
Threat actors further complicate detection by manipulating file hashes within virtual hard drive files. By adding unnecessary filler data or modifying storage space allocation, they can create files that appear different in scans but still deliver the same malicious payload.