CYBERCRIMINALS behind a campaign dubbed DEAD#VAX are taking phishing a step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF documents, according to Securonix. Open the wrong “invoice” or “purchase order” and Windows mounts a virtual drive that quietly installs AsyncRAT, a backdoor Trojan that enables attackers to remotely monitor and control the affected PC.
The infection chain is long, but each step looks legitimate enough to slip past casual checks, with victims typically receiving phishing emails that reference invoices or purchase orders and sometimes impersonate real companies.
The linked file is named as a PDF and shows a PDF icon, but is actually a VHD file; when opened, Windows mounts it as a new drive rather than opening a document viewer, and a Windows Script File executed from inside then runs AsyncRAT in memory within trusted Microsoft-signed processes such as RuntimeBroker[.]exe, OneDrive[.]exe, taskhostw[.]exe, or sihost[.]exe.
As a result, attackers can steal passwords, expose confidential files, surveil through screenshots or webcam capture, and use the machine as a foothold for other devices on the same network.