A threat agent uses an unusual attachment (WIM) to bypass security software to distribute the Agent Tesla remote access trojan.
As secure email portals and security software become more advanced and adapt to ever-changing phishing campaigns, threatening agents resort to more unusual file formats to bypass detection.
In the past, phishing scams were turned into unusual attachments, such as ISO files or TAR files that are not usually found as email attachments.
However, as threatening agents adopt new and unusual attachments, cybersecurity companies add further detections to prevent them.
Using WIM to bypass security
In a new Trustwave report, researchers explain how a threatening agent has begun using WIM (Windows Imaging Format) attachments to distribute the Agent Tesla remote access trojan.
"All the WIM files we collected from our samples contain Agent Tesla malware. This threat is a Trojan Remote Access (RAT) written in .Net that can take full control of a compromised system and can exfiltrate data via HTTP, SMTP, FTP and Telegram, ”explains Trustwave security researcher Diana Lopera in exhibition.
These campaigns start with phishing emails pretending to send information from DHL or Alpha Trans, as shown below.
Emails include .wim attachments (sometimes ending in .wim or .wim.001) which are designed to bypass security software.
Windows Imaging Format (WIM) is a file-based disk image format developed by Microsoft to help develop Windows Vista and newer operating systems.
WIM files are used to pack the entire drive, with all its files and folders, into a single file for easy distribution.
As you can see below, when you open one of these WIM attachments in a hex editor, it clearly shows that an executable is enclosed in it.
However, while WIM files may be less likely to be detected, phishing campaigns that use them are more problematic, as Windows does not have a built-in mechanism for opening a WIM file.
Therefore, when a user tries to open the attachment in Windows, a message will appear asking them to choose which program will open the file as shown below.
This file format would then require a recipient to go out of their way to export the file using a program such as 7-zip and then double-click the file inside it, which is very unlikely to happen.
While using an unusual attachment can bypass some security filters but it is also a double-edged sword for the hacker.
Secure email portals are almost certain to block these attachments. However, if you come across an email with a WIM attachment, just delete it as no legitimate email provider uses this file format.
Source of information: bleepingcomputer.com