As early as May 2017, we’ve seen spear phishing campaigns that use ISO file type as an attachment to emails. That is a good alternative for zip in delivering malware payloads.
These spear phishing campaigns targeted the following industries in particular:
Below are samples of spam emails with ISO attachments:
This kind of attack will affect users of Windows 8 or later as the operating system automatically mounts the said ISO into a drive once opened as shown below.
This will open an new window which shows an executable payload which can be double-clicked by unaware users:
Below are the filenames of the attachment we’ve found used in the wild:
We also found that the embedded executable payload varies from Fareit, Neurvt to VBKrypt malware.
This lead us to believe that this method is being used by several actors or could be part of a Spam-Service sold on the dark web.
We tried to search leads to the threat actors and found one of the Spam emails pointing to a suspicious source: info@lngoilandgasplc.com
Checking the registration information of the said website leads to the following email address:
Admin Email: cmeucke@yahoo.com
Searching the web for the said email and related information points us to the following domain names previously used for Spam emails:
We also managed to correlate the information to a well known RAT “Luminosity” (d25e0c5c1c9295bb09ebc766fc76805dd2b562b3e490dd1995e6e9b91f06a9bd).
This shows that the threat actors are not only changing the infection vector but also shifting to a different malware payload within.
