A particularly insidious phishing campaign is disguising malware pretending to be ordinary PDF documents behind links to virtual hard disks. Because workers are used to receiving purchase orders or invoices in the PDF format, they are likely to open the malicious files unthinkingly, enabling the malware they contain — in this case AsyncRAT, a remote-access Trojan — to take control of company computers.
The emails in this phishing campaign don’t attach a document directly but include links to a file hosted on IPFS (InterPlanetary File System), a decentralized storage network increasingly used by cybercriminals as it can be accessed through normal web gateways. Those files are virtual hard disks that, when opened, mount as a local disk, bypassing some Windows security features. Inside the disk is a Windows Script File (WSF) purporting to be the expected PDF: When the user opens it, Windows executes the code in the file thus leaving the computer open to exploitation by remote users.
To protect themselves, organizations and PC users should set Windows to show file extensions, MalwareBytes Labs advised in a blog post, crediting Securonix with discovering the Dead#Vax malware campaign.
