Encircle News!

Retro Game Arcade
, ,

Cybercriminals are using virtual hard drives to drop RATs in phishing attacks

Efosa Udinmwen

  • Virtual hard drives are being abused in phishing campaigns, experts warn
  • The virtual drives are used to drop RAT malware into unsuspecting inboxes
  • The attack vector is particularly difficult of antivirus to detect

Mountable virtual hard drive files, typically in .vhd and .vhdx formats, allow users to create virtual volumes that function like physical drives in a Windows environment.

While these files have legitimate uses in software development and virtual machines, cybercriminals have increasingly exploited them to deliver malware, experts have warned.

Recent research by Cofense Intelligence has revealed such tools are now being used to bypass detection mechanisms like Secure Email Gateways (SEGs) and antivirus solutions to drop Remote Access Trojans (RATs).

The rising use of virtual hard drive files

This exploitation is particularly difficult to detect, even with sophisticated scanning tools employed by SEGs and antivirus solutions, as the malware remains hidden within the mounted files.

The latest campaign has shifted focus toward resume-themed phishing attacks targeting Spanish-speaking individuals. The emails contained .vhdx files that, when opened, executed Visual Basic Script to load the Remcos RAT into memory.

This campaign notably included autorun.inf files designed to take advantage of older versions of Windows that still support AutoRun capabilities, further demonstrating the attackers’ intention to exploit a wide range of potential victims with varying system setups.

AutoRun, a feature in older versions of Windows, allows a file to execute automatically when a volume is mounted. Attackers have often exploited this feature to run malicious payloads without user intervention in systems where AutoRun is enabled.

Although Windows Vista and later versions mitigate these risks by disabling automatic execution, users with outdated systems remain vulnerable to silent malware execution. Even without AutoRun, attackers can use AutoPlay to prompt victims into manually running the malicious payload, leveraging the human factor to bypass security controls.

Attackers were also able to bypass various SEGs by embedding malicious content within virtual hard drive files inside archive attachments, bypassing SEGs from major security vendors, such Cisco and Proofpoint.

Threat actors further complicate detection by manipulating file hashes within virtual hard drive files. By adding unnecessary filler data or modifying storage space allocation, they can create files that appear different in scans but still deliver the same malicious payload.

More from TechRadar Pro

https://www.techradar.com/pro/Cybercriminals-are-using-virtual-hard-drives-to-drop-RATs-in-phishing-attacks

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Featured Posts

January 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

About Us

Welcome to encircle News! We are a cutting-edge technology news company that is dedicated to bringing you the latest and greatest in everything tech. From automobiles to drones, software to hardware, we’ve got you covered.

At encircle News, we believe that technology is more than just a tool, it’s a way of life. And we’re here to help you stay on top of all the latest trends and developments in this ever-evolving field. We know that technology is constantly changing, and that can be overwhelming, but we’re here to make it easy for you to keep up.

We’re a team of tech enthusiasts who are passionate about everything tech and love to share our knowledge with others. We believe that technology should be accessible to everyone, and we’re here to make sure it is. Our mission is to provide you with fun, engaging, and informative content that helps you to understand and embrace the latest technologies.

From the newest cars on the road to the latest drones taking to the skies, we’ve got you covered. We also dive deep into the world of software and hardware, bringing you the latest updates on everything from operating systems to processors.

So whether you’re a tech enthusiast, a business professional, or just someone who wants to stay up-to-date on the latest advancements in technology, encircle News is the place for you. Join us on this exciting journey and be a part of shaping the future.

Podcasts

TWiT 1012: Our Best Of 2024 – The Best Moments From TWiT's 2024 This Week in Tech (Audio)

TWiT wishes all listeners and viewers a Happy New Year and peaceful 2025! Padre's CES 2024 haul Cory Doctorow's infamous ensh*ttification term Tesla teases a robotaxi Last in-studio audience for TWiT Padre on the AI priest Google Search gets worse Christina Warren's Rabbit R1 Snowflake and the AT&T breach Crowdstrike's big outag Last in-studio episode before moving out Salt Hank shows off his new cookbook TWiT's 1000th episode brings back old friends The State of X/Twitter under Elon Parenting with TWiT daddies Tech billionaires affecting Trump's transition team Host: Leo Laporte Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit
  1. TWiT 1012: Our Best Of 2024 – The Best Moments From TWiT's 2024
  2. TWiT 1011: The Year in Review – A Look at the Top Stories of 2024
  3. TWiT 1010: The Densest State in the US – TikTok Ban, Drones Over Jersey, GM Quits Robotaxis
  4. TWiT 1009: Andy Giveth & Bill Taketh Away – Trump's Tech Titans, Crypto Boom, TikTok's US Ban, Intel CEO Exits
  5. TWiT 1008: Internet Legal – Australia's Social Media Ban for Kids, Smart Home Nightmare, Bluesky's Ascent