In a report by Trustwave’s SpiderLabs, a recent campaign distributing AgentTesla has begun to utilize Windows Imaging Format (WIM) as the carrier for the malware. Since Windows Vista, WIM has been used to deploy components of Windows and updates. The use of WIM by the attackers delivering AgentTesla served only to bypass lists used to filter email by attachment file extension as there was only one file contained and was uncompressed. If the WIM file were to be opened in a hex editor, PE and MZ headers would denote that the file contained an executable. Relying on more niche, though legitimate, formats to bypass security measures will likely continue to be an effective means as security controls become better.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased