![]() Upon execution of the file “fedex,pdf.exe”, the executable creates a new process of the Windows CLI tool “RegAsm” and injects a malicious payload into it leading to networking communication with the C2 Boki0419duckdnsorg on port 9900.įigure 6: The network activity of RegAsm process via Process Hacker tool Analyzing the executable file with DiE (Detect it Easy) suggests that the file was likely packed due to the unusual imports, and lack of strings.įigure 5: Detect It Easy tool assessment on the executable “fedex,pdf.exe” Upon opening the ISO, we were presented with an executable file “fedex,pdf.exe”. Disk image tool pdf#This ISO contains a single binary executable in it called “fedex,pdf.exe”, this binary was disguised with a PDF logo as shown in Figure 4.įigure 4: Executable inside the ISO using a fake PDF logo and PDF extension Disk image tool archive#The ISO archive had a relatively low detection on VirusTotal (18/70). Disk image tool update#The lure was short and precise suggesting failure to deliver a FedEx parcel due to incorrect address, while guiding the victim to download the attached document from FedEx to update their address.įigure 3: Google Translate used to translate the message to EnglishĬlicking on the link (hxxp://madridbgcom/FedEx,pdf.iso) downloaded an ISO archive called “FedEx,pdf.iso”. The email was drafted in the French language, hence targeting French speakers. ISO disc image files when they are opened, hence making them a hot commodity for scammers.įigure 2: Screenshot of the email message as displayed to a victim Recent versions of Microsoft Windows 10 and Windows 8 have the built-in ability to mount. Malware authors have started abusing these archives by re-purposing them to deliver malware. They are often used for backing up optical discs, or for distributing large file sets. The message tricked the victims to click on a link that downloaded an ISO archive containing a single executable of the Nanocore RAT.Īn ISO file (often called an ISO image), is a well-known archive file of optical discs like CD/DVD. The first campaign was a fake FedEx shipment email message targeting some of our European customers. In this blog, we will present two recent malspam campaigns that utilize disk image formats in delivering malware through phishing links and as attachments.įigure 1: Attack flow illustrated here shows disk imaging software like ISO or DAA files are sent as an email attachment or hosted at a site pointed to via a link in an email to infect victims with RATs. Disk imaging software includes formats like ISO, IMG, VHD, VDI, VMDK, VHD and DAA etc. It saves the entire data from the disk, including the file structure and all files and folders, in a single file and thus often serves as a full backup. ISO archives attributing to 6% of all malware attachment archives seen this year.Ī disk image is a software copy of a physical disk. ISO) being used as a container for serving malware via email, with. This year we observed a notable uptick in disc imaging software (like. Authors: Diana Lopera, Joshua Deacon, and Fahim Abbasi ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |