A phishing campaign is using Windows Imaging Format (WIM) files to deliver malware, according to researchers at Trustwave. WIM files aren’t commonly thought of as potentially malicious, so they’re more likely to bypass security filters.
“These spams, spoofing courier companies, contain a malicious WIM file disguised as an invoice or consignment note,” the researchers write. “WIM is a file-based disk image format developed by Microsoft. The file format serves to deploy Windows software components and updates ever since Windows Vista. This format uses a ‘.wim’ extension and its content can be extracted using archiving tools like 7Zip, PowerISO, and PeaZip.”
If opened, the malicious files will install the Agent Tesla Trojan on the victim’s computer.
“All the WIM files we gathered from our samples contain Agent Tesla malware,” the researchers write. “This threat is a Remote Access Trojan (RAT) written in .Net which can take full control over a compromised system and can exfiltrate data via HTTP, SMTP, FTP, and Telegram. In 2020, Agent Tesla was one of the predominant RATs and early this year, we reported that this malware is still actively getting distributed in spam emails.”
Trustwave notes that using a WIM file is a tradeoff for the attackers: these files are more likely to slip past security filters, but Windows computers can’t open them by default. The files can only be opened if the computer has additional software installed, such as 7-Zip.
“Encapsulating malware in an unusual archive file format is one of the common ways to bypass gateways and scanners,” the researchers write. “However, this strategy also poses a hurdle – the target system must recognize the file type or at least have a tool which can unpack and process the file. In contrast to the more popular .IMG and .ISO disk image files, WIM files are not supported by Windows built-in ability to mount disk image files. Moreover, the other popular archive utilities WinRAR and WinZip do not recognize the WIM disk image. WIM files can be processed with the widely used 7Zip.”
Trustwave has the full story.