Last week, CERT / CC Security Officer Will Dormann published a studydedicated to how Windows works with VHD and VHDX disk images. Dormann explained that such images are essentially a black box for the OS, and scanning of files inside them is not carried out until the image is mounted and the files are launched.
Worse, antiviruses also ignore the contents of such images that open with a simple double-click, like ZIP archives. In the video below you can see a demonstration during which a threat is detected by the protection in the archive, but the virtual hard disk does not cause any suspicions.
Other information security experts quickly became interested in Dormann's research. For example, an expert known under the pseudonym JTHL conducted his own experiment and put AgentTesla malware into the disk image. The fact is that the VHD and VHDX images do not need to be large, they can also be compact to, for example, attach to an email and send the victim an e-mail. So, the JHDL VHD file turned out to be only 7 MB in size. The scan showed that antivirus solutions do not notice the malware until it comes to mounting the disk.
static / dynamic .vhd are 2 different formats
neither well detected
agenttesla in 2 vhd's:
not detected by
Barracuda CPL + ATP + BESG pic.twitter.com/zZkyvl5AlE
– JTHL (@JayTHL) September 5, 2019
Another security specialist, Jan Paulsen, notes that the malware did not “see” the image files by any means other than anti-virus solutions. For the test, he created a script that, using diskpart, automatically mounted the VHD file and ran the malware inside. This threat was ignored by Gmail filters (although Gmail is suspicious of the already mentioned archives), went unnoticed when downloading a file using Google Chrome, and it was also lost sight of by Windows Defender.
Yesterday i did a full attach and execute script. Et will mount the .vhd automatically and execute the malware inside. At no point is the malware detected
– ⛧ ʲªͷ ҎΩΰⱠᶊἕ א (@ Jan0fficial) September 6, 2019
As a result, Paulsen created a crude PoC exploit that automatically launched AgentTesla from a virtual hard disk image. In fact, this allowed running the malware from a VHD file, and antivirus software does not notice it until it is launched on the victim's host. Of course, administrator privileges are required to use diskpart, but the expert notes that vulnerabilities that can increase privileges can help potential attackers here.