New Phishing Emails Deliver Malicious .ISO Files to Evade Detection

On May 22, 2017, PhishMe® received several emails with .ISO images as attachments via the Phishing Defense Center. ISO images are typically used as an archive format for the content of an optical disk and are often utilized as the installers for operating system. However, in this case, a threat actor leveraged this archive format as a means to deliver malware content to the recipients of their phishing email. Analysis of the attachments showed that this archive format was abused to deliver malicious AutoIT scripts hidden within a PE file that appears to be a Microsoft Office Document file, which creates a process called MSBuild.exe and caused it to act as a Remote Access Trojan. AutoIT is a BASIC-like scripting language designed for automating Windows GUI tasks and general scripting. Like any scripting or programming language, it can be used for malicious purposes.

The following details the indicators of phishing identified during this analysis and activity of the malicious payload.

Emails analyzed by the Phishing Defense Team were sent from sales{at}blsbake.com and included the subject line Purchase Order with sample pictures.

After the .ISO file is accessed, it reveals a PE file that masquerades itself as a Microsoft Word document. Once the PE file is executed, It then creates a process called MSBuild.exe which initiates the malicious AutoIT script. It then attempts to call out to hxxp://sima.sweed-viki[.]ru/panel/post.php

Once a connection has been established, it sends the following traffic via http:

Recommendation:

PhishMe cautions its customers to be wary of emails containing suspicious links or attachments. Specific to this sample, we recommend that customers be observant for emails that contain subject lines as described above. PhishMe Triage™ customers may create a rule as described below to detect this threat.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe Threat Alerts today.

PhishMe® Offers Full-Service Phishing Response Service in EMEA with London Phishing Defence Centre Launch
WannaCry Highlights an Evolving Threat Landscape

Leave a Reply