Threat actors have leveraged virtual hard disk image files to conceal the VenomRAT remote access trojan in a new malware campaign, Hackread reports.
Attackers deliver phishing emails disguised as purchase orders that contain .vhd file attachments, which, when opened, trigger a batch script that deploys PowerShell, ensures persistence, and alters Windows registry settings before launching VenomRAT, according to Forcepoint X-Labs researchers.
Aside from exfiltrating data, keystrokes, and other sensitive details, VenomRAT enables further executable downloads while bypassing security systems using the Hidden Virtual Network Computing service.
This and similar threats should prompt users to verify unexpected purchase orders or invoices, strengthen their security defenses, and bolster phishing awareness.
"This is a unique approach. Attackers are constantly looking for ways to evade detection, and hiding malware within a virtual hard disk image is a good example of that," said Forcepoint X-Labs security researcher Prashant Kumar.
