Virtual hard disk image files have been leveraged by threat actors to conceal the VenomRAT remote access trojan in a new malware campaign, Hackread reports.
Attackers deliver phishing emails purporting to be purchase orders that contain .vhd file attachments, which when opened triggers a batch script that deploys PowerShell, ensures persistence, and alters Windows registry settings before launching VenomRAT, according to Forcepoint X-Labs researchers. Aside from exfiltrating data, keystrokes, and other sensitive details, VenomRAT also enables further executable downloads while using the Hidden Virtual Network Computing service to bypass security systems. Such a threat should prompt users to not only verify unexpected purchase orders or invoices but also strengthen their security defenses and bolster phishing awareness. "This is a unique approach. Attackers are constantly looking for ways to evade detection, and hiding malware within a virtual hard disk image is a good example of that," said Forcepoint X-Labs security researcher Prashant Kumar.
