- Experts warn that virtual hard drives are being abused in phishing campaigns
- Virtual drives are used to drop RAT malware into unsuspecting inboxes.
- The attack vector is particularly difficult for antiviruses to detect.
Mountable virtual hard disk files, typically in .vhd and .vhdx formats, allow users to create virtual volumes that function like physical drives in a Windows environment.
While these files have legitimate uses in software development and virtual machines, cybercriminals have increasingly exploited them to distribute malware, experts warned.
Recent research by Cofense Intelligence has revealed that such tools are now used to bypass detection mechanisms such as Secure Email Gateways (SEG) and antivirus solutions to remove Remote Access Trojans (RAT).
The increasing use of virtual hard disk files
This exploit is particularly difficult to detect, even with sophisticated scanning tools employed by SEG and antivirus solutions, as the malware remains hidden within the mounted files.
The latest campaign has shifted its focus toward resume-themed phishing attacks targeting Spanish speakers. The emails contained .vhdx files that, when opened, executed Visual Basic Script to load Remcos RAT into memory.
Notably, this campaign included autorun.inf files designed to take advantage of older versions of Windows that still support autorun capabilities, further demonstrating the attackers' intent to exploit a wide range of potential victims with different system configurations.
Autorun, a feature in previous versions of Windows, allows a file to run automatically when a volume is mounted. Attackers have often exploited this feature to execute malicious payloads without user intervention on systems where autorun is enabled.
Although Windows Vista and later mitigate these risks by disabling autorun, users with outdated systems are still vulnerable to silent malware execution. Even without auto-execution, attackers can use auto-play to prompt victims to manually execute the malicious payload, taking advantage of the human factor to bypass security controls.
Attackers were also able to bypass several SEGs by embedding malicious content in virtual hard drive files within file attachments, bypassing SEGs from major security vendors such as Cisco and Proofpoint.
Threat actors further complicate detection by manipulating file hashes within virtual hard drive files. By adding unnecessary padding data or modifying storage space allocation, they can create files that appear different in scans but still deliver the same malicious payload.