Below are samples of spam emails with ISO attachments:



This kind of attack will affect users of Windows 8 or later as the operating system automatically mounts the said ISO into a drive once opened as shown below.

This will open an new window which shows an executable payload which can be double-clicked by unaware users:

Below are the filenames of the attachment we’ve found used in the wild:
- PAYMENTSLIP,DOC.iso
- REQUEST FOR QUOTATION,DOC.iso
- PAYMENTSLIP%2CDOC.iso
- QUOTATION,PDF.iso
- Qt4004233493MPOrder.iso
- Quotation-0568.iso
- CASH Denominations.iso
- INVOICE.iso
- CASH DENOMINATION.iso
- REQUEST QUATATION.iso
- doc02190820170520154353.iso
- 17072017154624.iso
- DHL.iso
- PROFORMA INVOICE.iso
- Request for Quotation (RFQ) – 14000097020.iso
- Proforma INV.iso
We also found that the embedded executable payload varies from Fareit, Neurvt to VBKrypt malware.
This lead us to believe that this method is being used by several actors or could be part of a Spam-Service sold on the dark web.
Leads to Threat Actors
We tried to search leads to the threat actors and found one of the Spam emails pointing to a suspicious source: info@lngoilandgasplc.com
Checking the registration information of the said website leads to the following email address:
Admin Email: cmeucke@yahoo.com
Searching the web for the said email and related information points us to the following domain names previously used for Spam emails:
- TRANSOCCEANOIL.COM
- SZELLOVER.COM
- MIDALCCABLE.COM
- LINUXCOMPANYLTD.COM
- EMAROAD.COM
- MORNNICKFIRM.COM
We also managed to correlate the information to a well known RAT “Luminosity” (d25e0c5c1c9295bb09ebc766fc76805dd2b562b3e490dd1995e6e9b91f06a9bd).
This shows that the threat actors are not only changing the infection vector but also shifting to a different malware payload within.