HomeWinBuzzer NewsHow Hackers Exploit Virtual Hard Drives to Evade Malware Detection

How Hackers Exploit Virtual Hard Drives to Evade Malware Detection

Cybercriminals are exploiting virtual hard drive files in phishing attacks, successfully evading traditional email and antivirus defenses by embedding malware in virtual containers.

-

Hackers have started using virtual hard drives (VHD) as a way to send malware without raising alarms in email security systems, warns Cofense in a threat analysis. Traditional defenses like secure email gateways (SEGs) and antivirus programs are having trouble detecting malware when it’s hidden inside a VHD file. These files, which are often used for running virtual machines, are being deployed by attackers to deliver threats like Remcos and XWorm Remote Access Trojans (RATs).

Emails containing either a compressed .zip file with a malicious VHD inside or links to download one are being sent to unsuspecting users. The tactic relies on the fact that when a recipient opens the VHD, it mounts like a regular disk, which makes it seem harmless. From there, the attacker hopes that the victim will execute the hidden payload, potentially without even realizing it.

Phishing Campaigns Show Growing Use of VHDs

In 2024, several phishing campaigns have made use of these virtual hard drive tricks, according to Cofense. In May, one campaign lured users with a message claiming to contain tax documents, prompting the download of a file called Tax_Organizer.exe. When the user opened the file, it executed malicious code, leading to the delivery of Remcos RAT. Another example from the summer months spoofed shipping companies, with emails that pretended to be undelivered package notifications. They claimed that a photo of a package label was attached, but it was actually a VHD file that launched malicious code once opened.

The technique has proven effective. One particular phishing campaign from August was aimed at Spanish speakers, where hackers attached what appeared to be job applications in a .zip archive. The included VHDX file contained scripts designed to load malware into the system memory without detection, showing how versatile this method can be across different themes.

Why Traditional Security Fails Against VHDs

One reason these VHD files are so dangerous is that they seem to slip past standard email security measures. Companies like Cisco and Proofpoint have had a hard time detecting these files. Many secure email gateways either don’t scan inside the mounted VHDs or rely on antivirus tools that aren’t picking up on the threats hidden within them. In tests, tools like Cisco’s Advanced Malware Protection (AMP) failed to catch malicious files in emails that used VHDs. Some of these gateways simply marked the attachments as clean.

This isn’t an isolated problem either. When tested against VirusTotal, a platform that runs files through dozens of antivirus engines, only one out of 62 was able to detect a malicious VHD. The low detection rate is worrying, especially since hackers can easily change the content and file size of the VHD, which alters its hash and makes it even harder to flag.

Virtual Drives Evade Detection with Ease

Antivirus software isn’t built to handle malware hidden in VHD files. These types of attacks rely on the fact that antivirus programs tend to scan files based on their extension or the initial layers of an archive. VHDs, however, operate more like containers. What’s inside doesn’t trigger the same level of scrutiny, and that’s what makes them perfect for hiding malicious payloads.

In one case, the malware delivered via a resume-themed phishing campaign was a script embedded in a VHD file. Antivirus tools could detect the script itself, but the VHD file holding it went unnoticed. What’s worse is that attackers can easily manipulate these files by changing the amount of storage allocated or altering the format. Even small changes can trick security software into seeing a new, clean file.

Old Windows Features Still Exploited by Hackers

Though modern versions of Windows have made it harder for malware to automatically execute from a mounted drive, hackers are still using older features like AutoRun and AutoPlay to trigger malicious scripts. If a user’s system allows AutoRun or if they click through an AutoPlay prompt, the malware can launch immediately. For example, in older Windows versions, VHD files containing an autorun.inf file can automatically execute when mounted. Newer systems prompt the user to take action, but even that extra step can be enough to trick someone into running the file.

While AutoRun is no longer the automatic risk it once was, phishing campaigns have still found ways to exploit it, especially on older systems. When combined with the evasion tactics that make VHDs so difficult to detect, these attacks are a growing concern for organizations relying on outdated software.

To mitigate the risk, the experts recommend that organizations include VHD files in their security awareness training. Employees should be cautious about opening unfamiliar attachments, especially those in .zip files or from unknown senders. While technical defenses might miss the threat, an informed user can act as a final line of protection against these kinds of attacks.

Related: How to Create a Virtual Hard Drive or Virtual DVD Drive in Windows 11 and Windows 10

Creating virtual drives on Windows 11 or Windows 10 can be a beneficial way to manage your computer’s storage and processing capabilities. Creating a virtual drive in Windows is certainly useful for numerous situations. For example, loading a DVD image in ISO format, partitioning ramdisk for apps that hog system performance, or creating a secure drive that is secured by a password. In our other guide, we show you how to create virtual drives in Windows.
 
https://winbuzzer.com/wp-content/uploads/2020/04/FEATURED-Windows-10-How-to-create-a-Virtual-Hard-Drive.jpg

Last Updated on November 7, 2024 2:24 pm CET

SourceCofense
Markus Kasanmascheff
Markus Kasanmascheff
Markus has been covering the tech industry for more than 15 years. He is holding a Master´s degree in International Economics and is the founder and managing editor of Winbuzzer.com.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
We would love to hear your opinion! Please comment below.x
()
x
Mastodon