1

Had a user contact me believing the below email was malicious. The odd thing about this email was the infected attachment. The attachment was a .img inside that .img container was an exe named e-voucher.exe I uploaded the file into Virustotal. Virustotal’s results came back only showing a few vendors detecting the file as infected. Using the Virustotal relational tool, I was able to see the exe reached out to two apple site to check for connectivity. Once connectivity had been established it reached out to two IP addresses. The addresses were 184.50.26.43 and 23.75.186.19 at this point the malware then distributed malware to your machine depending on your OS, the OS’s targeted were Mac and Windows. Our AV was currently not detecting the infection, so the file was submitted to them, and as of this morning the infection is now being detected as W32/Autoit.DXA!tr we also started blocking .img attachments on our filter. I have not seen this file attachment type used for malware distribution, so I thought I would share my experience with everyone.

Capture.png
Capture.png800×533 68 KB
42 Spice ups
2

With each passing day they’re getting sneakier and more sophisticated. Stuff like @KnowBe4 is becoming a necessity nowadays. I didn’t know about that VirusTotal relational tool - that’s sweet.

8 Spice ups
3

You don’t even need to investigate the attachment. The email address is a dead giveaway.

6 Spice ups
4

+1 Denis Kelly
+1 VirusTotal Relational Tool

1 Spice up
5

That’s a very smart attachment type! The end user probably sees img and thinks image, which is correct but not the kind they are expecting. As far as the sender, the address looks very convincing. Lots of companies send from multiple domains nowadays. In reality we can’t expect users to research every domain name and check Sophos to make sure it’s safe.

Thanks for putting this out there OP.

5 Spice ups
6

There are a raft of extensions for attachments I block outright in our Barracuda. This is a great example of why I do that.

I’ve had to explain to people I don’t care their vendor has a 20 year old copy machine that scans to TIFF, if they want to sell us stuff they can convert it to PDF before sending over a quote. Or even better, catch up to 2010 and get a scanner that can emit PDF natively!

5 Spice ups
7

That is dang clever. Good post and threat analysis. Even I first thought it was a graphics image and it gave me a flashback to good old MS08-052 GDI+ vulnerabilities. And had me thinking of the Android vuln a couple months ago involving malicious .png’s.

A legit graphics attack is probably worse in terms of ease of execution, but I guess it comes down to the severity of the payload. At least this instance requires more user interaction to open the container. Good idea blocking .img’s.

3 Spice ups
8

Since the AV didn’t detect it, I needed to see the relational data to block the IP addresses.

4 Spice ups
9

how did you safely upload this to virustotal? does it not trigger until you try to open it? or can you just forward the email?

10

Blocking the IP is a lose lose situation mostly. They keep changing and you are hard pressed to keep up.

2 Spice ups
11

The file doesn’t trigger unless it’s opened, so the attachment was just uploaded to virustotal. I know that a virus will change the IP address, but the attachment extension was blocked so nothing with that extension could pass our filter. Blocking the IP allowed allowed me to stop the virus just in case someone forwarded it to someone else. Now that the AV has up to date signatures it’s no problem.

1 Spice up
12

I’m feeling very dumb here. What is an img container? I know img as image files, but not as containers or something that can be clicked on and executed.

13

Similar to an ISO file.

@roger-knowbe4

1 Spice up
14

Ah, thanks.

1 Spice up
15

OK, so I renamed an ISO to IMG and saw that Windows would automatically open it.

Is there a way to auto-execute or does the victim have to click on something?

16

Everything I can see requires the user to mount the image file then run the exe

1 Spice up
17

When you say “opened” do you mean that simply opening the IMG container triggers something or do you mean they have to click on and run an executable?

18

It feels and seems very similar to opening a .zip file.

It depends on your default app for handling .img files, but modern windows auto mounts them as dvd drives.

Mute this and play @ 1.5x speed to get a better idea how Win10 handles them.

4 Spice ups
19

So to answer, it does require additional user interaction to launch the payload once the .img file is open.

3 Spice ups
20

Thanks for clearing it up spiceuser!

@techuserworksuser6504

1 Spice up