A new wave of highly targeted phishing attacks is leveraging a classic technique with a modern twist to breach corporate finance departments. Security researchers are tracking an active campaign where threat actors distribute information-stealing malware through ISO file attachments, specifically aiming at financial institutions and accounting teams. The attack chain is notable for its use of virtual drive mounting to bypass security controls and deliver a potent data-harvesting payload.
The campaign initiates with deceptive emails crafted to appear as legitimate bank communications. One observed variant impersonates German banking institutions like Volksbank, using subject lines such as "Information for 2026" to create a false sense of urgency or official importance. Other emails mimic payment confirmations or invoices, a perennial favorite for targeting finance personnel who regularly process such documents. The emails are designed to pressure the recipient into opening the attached file without second thought.
The critical component of this attack is the ISO (International Organization for Standardization) disk image file attached to the email. ISO files are exact copies of optical discs like CDs or DVDs. When a user double-clicks an ISO file on a modern Windows system, the operating system automatically mounts it as a new virtual CD/DVD drive in File Explorer. This is a standard, legitimate Windows feature.
However, in this malicious scheme, the mounted virtual drive does not contain harmless documents. Instead, it holds a malicious shortcut file (LNK). The LNK file is often disguised with a familiar icon, such as a PDF document, to trick users into executing it. Once clicked, the LNK file executes a script or directly launches a malicious executable. This executable is the information-stealer payload.
The deployed stealer malware is designed to conduct a comprehensive sweep of the infected system. Its primary targets include:
- Saved credentials from web browsers (Chrome, Edge, Firefox, etc.) and email clients.
- Autofill data and browsing history.
- Session cookies, which could allow attackers to hijack active logins to banking portals or corporate systems.
- Files from specific directories, potentially seeking financial spreadsheets, reports, or tax documents.
- Cryptocurrency wallet files and related keys.
The stolen data is then exfiltrated to a command-and-control (C2) server controlled by the attackers, who can monetize it through direct fraud, sell it on underground forums, or use it for further targeted attacks like Business Email Compromise (BEC).
Why the ISO Technique is Effective
This method provides several advantages for the attackers:
- Bypass of Email Filters: Many email security gateways are configured to block executable (.exe, .scr) or script (.js, .vbs) attachments. However, ISO files are less commonly blocked by default, as they are legitimate archive formats. The filters often do not unpack and scan the contents of the ISO, allowing the malicious LNK file inside to pass through undetected.
- Evasion of Mark-of-the-Web (MotW): When a file is downloaded from the internet or an email, Windows applies a security marker known as "Mark-of-the-Web." This can trigger SmartScreen warnings for directly executable files. Files inside a mounted ISO may not inherit this marker in the same way, potentially reducing user-facing security alerts.
- Social Engineering Leverage: The act of mounting a "disc" feels less suspicious to some users than directly running an executable. The extra step (opening the ISO, then clicking the file inside) can also lower the user's guard.
Mitigation and Defense Strategies
For cybersecurity teams, particularly those defending financial organizations, this campaign underscores the need for layered defenses:
- User Training & Awareness: Finance departments must be trained to be exceptionally wary of unexpected emails with attachments, even those appearing to come from known partners or banks. They should be instructed to never open ISO, IMG, or other disk image files from unverified sources.
- Technical Controls: Organizations should consider implementing Group Policy or security policies to disable the automatic mounting of ISO and other disk image files via Windows Explorer. This forces a manual review process.
- Enhanced Email Security: Configure email gateways to treat ISO files with high suspicion. Implement solutions capable of sandboxing and dynamically unpacking archive files to inspect their contents before delivery.
- Endpoint Detection and Response (EDR): Ensure EDR solutions are tuned to detect the creation of LNK files in unexpected locations (like newly mounted drives) and the subsequent spawning of processes that exhibit stealer behavior, such as mass credential access from browser databases.
- Network Monitoring: Monitor for connections to known malicious IPs or domains associated with stealer malware C2 servers.
The resurgence of ISO-based delivery for infostealers is a reminder that threat actors continuously repackage old techniques within new social engineering lures. For the high-value target of corporate finance, maintaining vigilance against such evolving threats is not just an IT concern but a critical business imperative.
Comentarios 0
Comentando como:
¡Únete a la conversación!
Sé el primero en compartir tu opinión sobre este artículo.
¡Inicia la conversación!
Sé el primero en comentar este artículo.