Level 64
Content Creator
Malware Hunter
Microsoft says its advanced machine learning threat detection models have helped its staff detect multiple malicious spam (malspam) campaigns distributing disk image files infected with malware.

The campaign, detected last week, is using COVID-19 lures (email subject lines) to trick users into downloading and running ISO or IMG file attachments.

In a series of tweets today, Microsoft said these files are infected with a version of the Remcos remote access trojan (RAT), which gives attackers full control over the infected hosts.

Microsoft says the attackers have been persistent and have launched multiple different spam runs, targeting companies across different industries, in multiple countries across the globe.The biggest ones include spam runs like:
  • A Remcos campaign going after US small businesses looking to get disaster loans. In this case, companies received emails pretending to be from the US Small Business Administration (SBA), carrying a malicious IMG (disk image) attachment. The IMG file contained an executable file that uses a misleading PDF icon. When run, the executable file installs the Remcos RAT.
  • A campaign targeting manufacturing companies in South Korea. Attackers sent target organizations an email that impersonates CDC's Health Alert Network (HAN) that was carrying malicious ISO file attachments. The ISO file contained a malicious SCR file, which installed Remcos.
  • Another Remcos campaign targeted accountants in the US, with emails purporting to contain "COVID-19 related updates" for members of the American Institute of CPAs. The attachment was a ZIP archive containing the ISO + SCR combination seen in the South Korean campaign.