Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Malicious .iso Attachments InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Malicious .iso Attachments

Published: 2017-07-21
Last Updated: 2017-07-21 22:23:02 UTC
by Didier Stevens (Version: 1)
0 comment(s)

We've been informed of recent malware campaigns that deliver .iso attachments (.iso files are CD/DVD images). These .iso files contain a malicious executable.

Since Windows 8, Windows will automatically mount .iso files when they are opened. Like this, these .iso files are like .zip files with malware.

Here is an example of an email with .iso attachment:

This email file can be analyzed with emldump:

Part 5 contains the attached .iso file (Quotation-0568.iso), and can be extracted like this:

There are several methods to analyze .iso files, even with Python. Here we will use 7-Zip:

The executable can be extracted like this:

It is indeed a PE file:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: iso malware
0 comment(s)
Diary Archives