According to Trustwave, Windows Imaging Format (WIM) files are now being used in phishing attacks. As WIM files aren’t typically thought as harmful, it makes it easier for data thieves to exploit them and get past security filters.
These spams, spoofing courier businesses contain a malicious WIM file disguised as an invoice or consignment note. WIM is a Microsoft-developed file-based disc imaging format. Since Windows Vista, the file format has been used to distribute Windows software components and updates. The content of this format may be extracted using archiving tools like 7Zip, PowerISO, and PeaZip, and it has a ‘.wim’ extension. If opened, the malicious files will install the Agent Tesla Trojan on the victim’s computer.
All the WIM files we gathered from our samples contain Agent Tesla malware. This threat is a Remote Access Trojan (RAT) written in .Net which can take full control over a compromised system and can exfiltrate data via HTTP, SMTP, FTP, and Telegram.
Agent Tesla was one of the most common RATs in 2020, and we noticed earlier this year that it is still being disseminated in spam emails.
The use of a WIM file is a tradeoff for the attackers, according to Trustwave: these files are more likely to get past security filters, but Windows systems can’t open them by default. The files can only be accessed if extra software, such as 7-Zip, is installed on the computer.
One of the main techniques to avoid gateways and scanners is to encapsulate malware in an odd archive file format, the researchers write. However, this method comes with a catch: the target system must either recognise the file type or have a tool that can unpack and handle it. In comparison to the more well-known.
Attackers are always devising new methods to get through email security filters. Your employees can stay ahead of growing social engineering assaults with Siccura Cybersecurity awareness training.
Trustwave has the full story. A phishing campaign is an email scam designed to steal personal information from victims.