Hackers are bypassing enterprise security by using Virtual Hard Disks disguised as PDF files to deliver remote-access malware.
<div class="media-with-label__label">
Credit: Rob Schultz/IDG </div>
</figure>
</div>
</div>
</div>
</div>A cunning phishing scheme is using virtual hard disk links to conceal malware, making it appear as regular PDF files. Employees, accustomed to handling PDF purchase orders or invoices, are unknowingly opening these deceptive files. This action installs malicious software, specifically the AsyncRAT remote-access Trojan, allowing attackers to seize control of company systems.
Instead of direct attachments, these phishing emails provide links to files stored on the InterPlanetary File System (IPFS). This decentralized network is favored by cybercriminals due to its accessibility via standard web gateways. Clicking these links downloads virtual hard disks which, once opened, mount as local drives, circumventing certain Windows security protocols. Within these disks lies a Windows Script File (WSF) designed to look like the anticipated PDF. Executing this WSF allows remote attackers to compromise the computer.
For enhanced security, organizations and individual PC users are advised to configure Windows to display file extensions. This recommendation comes from MalwareBytes Labs in a recent blog post, attributing the discovery of the Dead#Vax malware campaign to Securonix.
