"A particularly insidious phishing campaign is disguising malware pretending to be ordinary PDF documents behind links to virtual hard disks. Because workers are used to receiving purchase orders or invoices in the PDF format, they are likely to open the malicious files unthinkingly, enabling the malware they contain - in this case AsyncRAT, a remote-access Trojan - to take control of company computers."
"The emails in this phishing campaign don't attach a document directly but include links to a file hosted on IPFS (InterPlanetary File System), a decentralized storage network increasingly used by cybercriminals as it can be accessed through normal web gateways. Those files are virtual hard disks that, when opened, mount as a local disk, bypassing some Windows security features. Inside the disk is a Windows Script File (WSF) purporting to be the expected PDF: When the user opens it, Windows executes the code in the file thus leaving the computer open to exploitation by remote users."
Phishing emails use links to IPFS-hosted virtual hard disks that mount locally and can bypass some Windows protections. The mounted VHDs contain Windows Script Files (WSF) masquerading as expected PDF documents, and when opened Windows executes the embedded code. The payload in this campaign is AsyncRAT, a remote-access Trojan that enables attackers to take control of company computers. Workers who habitually open invoices or purchase orders without verifying file types increase organizational risk. Security teams should configure Windows to show file extensions and monitor for IPFS-hosted payloads. Securonix identified the Dead#Vax campaign.
Read at Computerworld
Unable to calculate read time
Collection
[
|
...
]