We believe this shift is primarily to evade detection from legacy AV software and bypass the email gateway, as most are not inspecting or blocking these file types, and no software is required to mount these disk images as Windows is able to natively mount them. We’ve seen a shift toward cybercriminals using AutoIt and disk images to further achieve their objectives through various mass phishing campaigns. Incorporate a phishing awareness program internally, and routinely test employees with phishing test emails.Leverage a proxy to proactively block sites that are uncategorized/unknown, as we’ve seen new sites registered shortly before phishing campaigns are executed.If applicable, block known disk images file types such as IMG, ISO, DAA, VHD, CDI, VMDK, etc., to reduce the attack surface. Observe inbound emails received during a short span of time to see the volume of disk image files being delivered as attachments.Leverage a Layer 7 firewall that can perform deep packet inspection to examine the traffic and block P2P protocol types.Turn on next-gen antivirus (NGAV) preventative measures to stop malware. Gain advanced visibility across your endpoints with an endpoint detection and response (EDR) solution such as the CrowdStrike Falcon ® platform.The message seems to be coming from a worldwide package delivery company. The chain starts with a simple email containing a disk image file (.IMG) to socially engineer the victim into viewing the contents. I will also provide step-by-step remediation along with recommendations for how to implement this approach in your network. In this blog, I dissect a campaign that uses this method to compromise a system, providing insight into what the CrowdStrike FalconComplete team has observed since 2019. The advantages of using disk images, combined with the easy access to purchasing RATs, make this a preferred and effective method for cybercriminals. A disk image is essentially a virtual copy of a physical disk that houses all of the files and requires that it be mounted in order to access its contents. There are multiple disk image file formats, but we have seen ISO and IMG files being abused the most. We’ve identified that these files are typically delivered via phishing campaigns as an attachment or link - a malicious URL in the body of the email or within crack software downloads.Ĭyber criminals have been taking advantage of built-in Windows capabilities to mount disk image files once they are opened by the end user. Files such as ISO and IMG were sent to infect systems with the goal of delivering remote access trojans (RATs) as well as a few other malware variants. Throughout 2019 and the beginning of 2020, the CrowdStrike ® Falcon Complete TM team continuously observed a spike in the delivery of weaponized disk image files.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |