SWH vs. HTML ---> ISO ---> scripts
SANS Internet Storm Center - A global cooperative cyber threat / internet security monitor and alert system. Featuring daily handler diaries with summarizing and analyzing new threats to networks and internet security events.
CinaRAT Delivered Through HTML ID Attributes, Author: Xavier Mertens
The above examples have very low detection on Virus Total.
The infection chain (delivery stage in blue):
email ---> HTML attachment ---> ISO created ---> VBScript file dropped ---> malicious script executed by the user
The user is instructed to open the HTML attachment and next allow to mount the ISO file to run the script.
SWH in default settings can block the attack at the delivery stage by blocking the VBScript file.
I have seen similar infection chains with archives (also blocked by SWH):
- email ---> ISO ---> Archive ---> payload
- email ---> ISO ---> self extracting EXE ---> scripts
But, the below infection chain would be beyond the scope of SWH default settings:
email ---> ISO ---> final EXE payload
One could block it in SWH by adding the ISO extension to the Designated File Types - currently (SWH ver. 22.214.171.124), this extension is blocked with Paranoid Extensions.
As we know, SWH intentionally does not block EXE/MSI files, so in such cases, one has to rely on the AV.
Fortunately, the AV detection of EXE files is usually much better compared to fileless attacks.
Unfortunately, the opening of the ISO files is managed by the Windows built-in handler that does not support SRP.
But, ISO files can be still protected by SRP when they are opened by 3rd party applications like WinISO or Deamon Tools.