Cybercriminals use virtual hard drives to introduce RAT in phishing attacks.

Specialists have warned about the improper use of virtual hard disks in phishing campaigns, where these devices are used to introduce malware into victims' emails. Virtual hard disk files, which typically have the extensions .vhd and .vhdx, allow users to create virtual volumes that function as physical disks in a Windows environment. Although they have legitimate applications in software development and virtual machines, cybercriminals are increasingly using them to infect systems.

A recent study has indicated that these mechanisms are being used to evade detection tools such as Secure Email Gateways (SEGs) and antivirus solutions, allowing for the delivery of Remote Access Trojans (RATs). This type of attack is particularly difficult to identify, even with advanced scanning tools, as the malware remains hidden within the mounted files.

The latest campaign focuses on phishing attacks aimed at Spanish speakers, where emails are sent containing .vhdx files. Upon opening these files, a Visual Basic script is executed that loads the Remcos RAT into the user's memory. Additionally, the campaign includes autorun.inf files that exploit older versions of Windows that still support AutoRun capabilities, thus showing the attackers' intention to target a wide range of potential victims with different system configurations.

AutoRun, a feature of earlier versions of Windows, allows a file to be automatically executed upon mounting a volume. Attackers have used this feature to run malicious payloads without the user's knowledge on systems where AutoRun is enabled. Although more recent versions of Windows have mitigated these risks by disabling autorun execution, users with outdated systems remain vulnerable to the silent execution of malware. Even without AutoRun, attackers can utilize AutoPlay to prompt victims to manually execute the malicious payload, leveraging the human factor to bypass security controls.

Furthermore, cybercriminals have managed to evade several SEGs by embedding malicious content within virtual hard disk files in compressed attachments, allowing them to bypass protections from recognized security providers like Cisco and Proofpoint. To further complicate detection, they manipulate the hashes of the files within the virtual hard disks, adding unnecessary data or modifying storage allocation, thus creating files that appear different during scans but still deliver the same malicious payload.