Virtual disk files are locked containers that shield the items inside from online or local security defenses. The trick can help adversaries deliver malware invisibly to a target's computer.
Vulnerability analyst Will Dormann last week published research on VHD and VHDX files being treated like a black box by Windows and the operating system.
The VHD bubble
The details stirred the interest of security researchers who used real malware encapsulated in a VHD file to test the detection rate of multiple antivirus engines. Products that normally detected the malware samples became blind to them.
Typically, virtual disk containers are large in size, since they are designed to act like a hard disk drive, but with VHD users can make them small enough to fit in an email attachment.
Security researcher JTHL tested a sample of Agent Tesla infostealer in a 7MB-large VHD file and fed it to antivirus scanning platforms. The detection rate was negligible.
static / dynamic .vhd are 2 different formats
neither well detected
agenttesla in 2 vhd's:
not detected bysophos endpointPAN WildfireBarracuda CPL + ATP + BESG pic.twitter.com/zZkyvl5AlE
— JTHL (@JayTHL) virtual attachments bypass gmail chrome security