Trustwave recently detailed an interesting campaign in which an actor is using unusual attachments to get around security software. Researchers call their tactic “a double-edged sword,” implying that an unusual format of the attachments works actually not in their interest.
As email security software becomes more sophisticated, attackers are resorting to unusual file formats so that their malicious files avoid detection by security solutions. In the past, for example, scammers targeted individuals with email attachments that contained ISO files or TAR files. However, as threats evolve, so do security detection, and any new and unusual attachments get soon blocked by email scanners and antivirus software.
Today, researchers at Trustwave have revealed how a threat actor has started distributing Agent Tesla remote access trojans through files in WIM format, which stands for Windows Imaging Format. RATs are very dangerous and can lead to phishing attacks.
“All the WIM files we gathered from our samples contain Agent Tesla malware. This threat is a Remote Access Trojan (RAT) written in .Net which can take full control over a compromised system and can exfiltrate data via HTTP, SMTP, FTP, and Telegram,” explains Trustwave security researcher Diana Lopera in today’s report.
These phishing campaigns start with emails that pretend to be from DHL or Alpha Trans. The emails contain .wim attachments (sometimes .wim.001) that are designed to trick security software, since this is an unusual format for distributing malware.
Windows Imaging Format is a file format that Microsoft introduced to aid in packing entire drives, with all of their files and folders. When opened in hex editor, researchers found the attackers’ executables.
Although they are less likely to be detected, they present their own drawbacks to their authors, hence “a double-edged sword.”
This file format would require a recipient to go out their way to extract the file and then double-click on it. When a user tries to open an attachment in Windows, they will be prompted to select a program to open the file.
Researchers conclude by saying that many attacks will lead to nothing, since victims will not open these files.