An Unusual Attachment is Most Likely a Phishing Campaign

Unusual Attachment for Phishing CampaignA phishing campaign is using Windows Imaging Format (WIM) files to deliver malware, according to researchers at Trustwave. WIM files aren’t commonly thought of as potentially malicious, so they’re more likely to bypass security filters.

“These spams, spoofing courier companies, contain a malicious WIM file disguised as an invoice or consignment note,” the researchers write. “WIM is a file-based disk image format developed by Microsoft. The file format serves to deploy Windows software components and updates ever since Windows Vista. This format uses a ‘.wim’ extension and its content can be extracted using archiving tools like 7Zip, PowerISO, and PeaZip.”

If opened, the malicious files will install the Agent Tesla Trojan on the victim’s computer.

“All the WIM files we gathered from our samples contain Agent Tesla malware,” the researchers write. “This threat is a Remote Access Trojan (RAT) written in .Net which can take full control over a compromised system and can exfiltrate data via HTTP, SMTP, FTP, and Telegram. In 2020, Agent Tesla was one of the predominant RATs and early this year, we reported that this malware is still actively getting distributed in spam emails.”

Trustwave notes that using a WIM file is a tradeoff for the attackers: these files are more likely to slip past security filters, but Windows computers can’t open them by default. The files can only be opened if the computer has additional software installed, such as 7-Zip.

“Encapsulating malware in an unusual archive file format is one of the common ways to bypass gateways and scanners,” the researchers write. “However, this strategy also poses a hurdle – the target system must recognize the file type or at least have a tool which can unpack and process the file. In contrast to the more popular .IMG and .ISO disk image files, WIM files are not supported by Windows built-in ability to mount disk image files. Moreover, the other popular archive utilities WinRAR and WinZip do not recognize the WIM disk image. WIM files can be processed with the widely used 7Zip.”

Attackers are constantly coming up with new ways to bypass email security filters. New-school security awareness training can help your employees stay ahead of evolving social engineering attacks.

Trustwave has the full story

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews