In a report by Trustwave’s SpiderLabs, a recent campaign distributing AgentTesla has begun to utilize Windows Imaging Format (WIM) as the carrier for the malware. Since Windows Vista, WIM has been used to deploy components of Windows and updates. The use of WIM by the attackers delivering AgentTesla served only to bypass lists used to filter email by attachment file extension as there was only one file contained and was uncompressed. If the WIM file were to be opened in a hex editor, PE and MZ headers would denote that the file contained an executable. Relying on more niche, though legitimate, formats to bypass security measures will likely continue to be an effective means as security controls become better.
Getting a grasp on what files are being delivered through email is important in developing rules at the server. A general universal rule is to disallow executables such as PEs (EXE, DLL, SCR and other file extensions), script files such as .vbs, .js, .hta and Java JAR files to be received. Including archives like .zip, .iso, and now .wim should also be considered for email filtering, depending on how necessary it is for employees to send those files over email when internal chat clients such as Slack and the use of dedicated clouds like SharePoint can be utilized. Most phishing documents and payloads can be stopped before a user ever receives them by developing sound email filtering policies and automated rules. When the pressure of protecting the organization is released from the users, trust can be built with those in operations and pave the way for reporting and education.