Recent analysis by Cofense describes how threat actors are using virtual hard drive files to bypass security scanners, including widely used email security appliances from Cisco, Proofpoint, and FireEye.

Notable analysis details include:

• Virtual hard drive files like .vhd and .vhdx, which are typically used for virtual machines, can also be opened in Windows to mount the virtual image as if it were a physical volume.
• Recently, threat actors appear to be avoiding detection from Secure Email Gateways (SEGs) and commercial antivirus (AV) by embedding malicious content within virtual hard drive files.
  • The threat actors send emails with .zip archive attachments containing virtual hard drive files or embedded links to downloads that contain a virtual hard drive file that can be mounted and browsed through by a victim.
  • When SEGs and antivirus scanners analyze virtual hard drive files, they struggle to detect malicious content contained within the hard drive image.
• Throughout 2024, mountable virtual hard drive files have been utilized as a delivery mechanism across multiple distinct email campaigns delivering various malware families.
• Thus far, various phishing themes to watch out for include the usual suspects of tax-themed, shipping-theme, and resume-themed.

System administrators and security analysts are encouraged to review the Cofense post for more details on how to detect and protect against this threat. Protection may include reminding end users to be suspicious of unsolicited .zip attachments and embedded links and to apply extra vigilance to the usual suspects of tax-themed, shipping-theme, and resume-themed emails. For more details, visit Cofense.