{
	"id": "261e14de-dd4a-40d2-8f94-1b00d11cafa4",
	"created_at": "2026-04-06T00:14:26.841202Z",
	"updated_at": "2026-04-10T03:22:13.960373Z",
	"deleted_at": null,
	"sha1_hash": "37bdd4d6b8f3440a0346c3def3d9bcd8e3dc74bd",
	"title": "Weaponized Disk Image Files: Analysis, Trends and Remediation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3514381,
	"plain_text": "Weaponized Disk Image Files: Analysis, Trends and Remediation\r\nBy Guillermo Taibo\r\nArchived: 2026-04-05 19:50:10 UTC\r\nThroughout 2019 and the beginning of 2020, the CrowdStrike® Falcon CompleteTM team continuously observed\r\na spike in the delivery of weaponized disk image files. Files such as ISO and IMG were sent to infect systems\r\nwith the goal of delivering remote access trojans (RATs) as well as a few other malware variants. We’ve identified\r\nthat these files are typically delivered via phishing campaigns as an attachment or link — a malicious URL in the\r\nbody of the email or within crack software downloads. Cyber criminals have been taking advantage of built-in\r\nWindows capabilities to mount disk image files once they are opened by the end user. There are multiple disk\r\nimage file formats, but we have seen ISO and IMG files being abused the most. A disk image is essentially a\r\nvirtual copy of a physical disk that houses all of the files and requires that it be mounted in order to access its\r\ncontents. The advantages of using disk images, combined with the easy access to purchasing RATs, make this a\r\npreferred and effective method for cybercriminals. In this blog, I dissect a campaign that uses this method to\r\ncompromise a system, providing insight into what the CrowdStrike Falcon®Complete team has observed since\r\n2019. I will also provide step-by-step remediation along with recommendations for how to implement this\r\napproach in your network.\r\nParcel-themed Phishing Email Scenario\r\nThe chain starts with a simple email containing a disk image file (.IMG) to socially engineer the victim into\r\nviewing the contents. The message seems to be coming from a worldwide package delivery company.\r\nFigure 1. Phishing contents sample. The delivery company did not send this email.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 1 of 17\n\nThe attachment in this sample is only 2MB, which raises a flag immediately as disk images are typically larger in\r\nsize.\r\n Figure 2. IMG file properties\r\nDouble-clicking on the file allows Windows 8 and Windows 10 to mount the IMG file natively to the next\r\navailable drive. This sample uses a PDF icon as a disguise.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 2 of 17\n\nFigure 3. IMG file mounted on disk\r\nAnalysis\r\nExeinfo PE identified the binary as a compiled AutoIT script version 3. AutoIT is a scripting language used to\r\nautomate Windows GUI tasks. Cybercriminals would first compile these scripts into an executable using the\r\nAut2Exe compiler and further convert it into a disk image file to then distribute it widely in campaigns.\r\nFigure 4. Exeinfo PE against binary e-voucher.exe\r\nDumping the rcdata resource and reviewing the strings shows AU3!, a common string seen in AutoIT-developed\r\nscripts.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 3 of 17\n\nFigure 5. Hexdump of e-voucher.exe\r\nThe AutoIT script is obfuscated, and it is used as a dropper to eventually load the NanoCore RAT on the intended\r\nsystem.\r\nFigure 6. Snippet of obfuscated AutoIt script\r\nBeginning on line 9746 in Figure 6, we can see the following three resources: dusmtask1 bdechangepin2\r\naadWamExtension3 The script merges these three resources and passes the key\r\n“hwnglongpcoiftynieblwrqseblfkkwvfvbhnizgvvfanyqbrn” as the second parameter to the function\r\nswydxtrwncfvpukruyyjvmtphe(). To decrypt, it creates a hash using CryptCreateHash with this key. Consequently,\r\nit then uses the function CryptDeriveKey and creates a separate key from the results of CryptCreateHash. Finally,\r\nCryptDecrypt is used to decrypt the resource.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 4 of 17\n\nFigure 7. Encrypted stream prior to CryptDecrypt\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 5 of 17\n\nFigure 8. Contents decrypted after CryptDecrypt returns\r\nOnce the contents are decrypted, it will then use the CreateProcessW function to spawn the legitimate process\r\nRegAsm.exe in a suspended state using the process creation flag 0x00000004 ( CREATE_SUSPENDED )\r\nFigure 9. x32dbg debugger CreateProcessW function starts RegAsm.exe in suspended state\r\nShortly after, it proceeds to allocate memory space for the malicious payload that was decrypted earlier. This\r\nmemory region is created with memory protection of 0x40 ( PAGE_EXECUTE_READWRITE )\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 6 of 17\n\nFigure 10. x32dbg debugger VirtualAllocEx allocating memory space\r\nLast, the WriteProcessMemory call is seen to finally write the contents into this newly created memory region.\r\nFigure 11. x32dbg debugger WriteProcessMemory function writing into memory region\r\nInspecting RegAsm.exe using ProcessHacker shows the memory region 0x400000 that was created earlier filled\r\nwith the payload. The sample is using a well-known technique to hollow out RegAsm.exe and inject its payload.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 7 of 17\n\nFigure 12. ProcessHacker showing memory region injected with malicious code\r\nAfter dumping the malicious code out of memory, we can confirm that it is a .NET built binary packed with\r\nEazfuscator.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 8 of 17\n\nFigure 13. Exeinfo displaying packer information on dumped process\r\nRunning de4dot against this copy is able to deobfuscate to see readable strings.\r\nFigure 14. DnsSpy after deobfuscation\r\nThe malware then proceeds to drop a copy of itself to the path\r\nC:\\Users\\username\\PasswordOnWakeSettingFlyout\\DataExchangeHost.exe In addition, it creates persistence by\r\nusing a URL shortcut in the StartUp folder that points to the copy of NanoCore RAT to survive reboot. A\r\nmalicious VBS script named AppVEntSubsystems64.vbs is also dropped in the same directory where\r\nDataExchangeHost.exe resides.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 9 of 17\n\nFigure 15. VBS script contents\r\nThe Falcon Complete Team has seen variations of the script above being obfuscated with the same ultimate goal\r\nsuch as in Figure 16.\r\nFigure 16. VbsEdit debugging obfuscated script\r\nA copy of RegAsm.exe is dropped onto disk and is added to the Run key to boot on user logon, as seen in\r\nFalcon’s Process Tree viewer. Falcon also logs the network connection used as the C2 in this sample, as seen in\r\nFigure 17.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 10 of 17\n\nFigure 17. Falcon Process Tree displaying Registry Operations and DNS request\r\nThe functionality of NanoCore RAT has been covered heavily, so this blog will not focus on it. Figure 18 shows\r\nthe same detection in Falcon’s UI but this time being prevented after running the same sample with the detection\r\nand prevention settings set to “Aggressive.”\r\nFigure 18. Prevention policy enabled\r\nRemediation:\r\n Remediation\r\nDifficulty\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 11 of 17\n\nThe remediation can be summarized in the following steps:\r\n1. Identify and confirm detection originates from a virtual mounted drive:\r\nFind the location of the disk image where it resides\r\nUnmount the virtual drive\r\nRemove the IMG from disk\r\n2. Terminate the injected process\r\n3. Remove the registry entry\r\n4. Remove related directories and files\r\nSTEP 1: Identify and Remove the Mounted Disk Image\r\nIn order to identify, confirm and remove the IMG file that was mounted, we first use the class\r\nWin32_CDROMDrive from WMI in Figure 19 to provide us with information on what is currently mounted,\r\nalong with the drive letter and the volume name.\r\nFigure 19. Output of WMI command\r\nNow that we’ve identified what’s mounted, we are using the PowerShell Get-DiskImage cmdlet to get the\r\nobjects associated with the IMG file which will indicate where this file resides on disk.\r\nFigure 20. Output of Powershell Get-DiskImage command\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 12 of 17\n\nUse the image path obtained from the output received on the previous command to unmount this virtual disk. If\r\nthe process is actively running, terminate it first. Also, you first need to unmount this disk or else you will not be\r\nable to remove it.\r\nFigure 21. Unmounting IMG file using Dismount-DiskImage\r\nSTEP 2: Terminate the Injected Process\r\nFrom Falcon’s Process Tree, we discovered the injected RegAsm.exe process was running under the process ID\r\n4952. Proceed to terminate this process using the built-in “kill” command using the process ID discovered.\r\nFigure 22. Terminated process output\r\nSTEP 3: Remove the Registry Entry\r\nNext, we remove the registry entry that was created at infection by using the PowerShell command in Figure 23.\r\nFigure 23. Deleting registry entry successfully\r\nSTEP 4: Remove Related Directories and Files\r\nLast, we remove all remaining directories and files that were discovered during timeline analysis of the system.\r\nFigure 24. Removing artifacts from disk output\r\nFigure 25. Removing artifacts from disk output\r\nFigure 26. Removing artifacts from disk output\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 13 of 17\n\nThis completes the remediation steps we execute to tackle such variants when discovered. Note that in this\r\nscenario, we’ve purposely turned off the prevention policy while leaving the detection policy turned on for\r\nillustrative purposes. Within the scope of our service, we’ve been able to observe Warzone, NanoCore and Agent\r\nTesla RATs to be the most preferred by cybercriminals among others as seen in Figure 27.\r\nFigure 27. Malware family breakdown\r\nThe entry vector for these have primarily been phishing emails, where users download Torrent/Crack software\r\nonto their machines disguised as movies, games or music but that actually contains infected USB media.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 14 of 17\n\nFigure 28. Entry vector\r\nbreakdown\r\nIn regard to verticals, we’ve noticed these campaigns are widely spread across multiple verticals, with the\r\nhospitality sector being the most affected.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 15 of 17\n\nFigure 29. Affected verticals observed\r\nRecommendations\r\n1. Gain advanced visibility across your endpoints with anendpoint detection and response (EDR)solution such\r\nas theCrowdStrikeFalcon® platform.Turn onnext-gen antivirus (NGAV)preventative measures to stop\r\nmalware.\r\n2. Leverage a Layer 7 firewall that can perform deep packet inspection to examine the traffic and block P2P\r\nprotocol types.\r\n3. Observe inbound emails received during a short span of time to see the volume of disk image files being\r\ndelivered as attachments. If applicable, block known disk images file types such as IMG, ISO, DAA, VHD,\r\nCDI, VMDK, etc., to reduce the attack surface.\r\n4. Leverage a proxy to proactively block sites that are uncategorized/unknown, as we’ve seen new sites\r\nregistered shortly before phishing campaigns are executed.\r\n5. Incorporate a phishing awareness program internally, and routinely test employees with phishing test\r\nemails.\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 16 of 17\n\nWe’ve seen a shift toward cybercriminals using AutoIt and disk images to further achieve their objectives through\r\nvarious mass phishing campaigns. We believe this shift is primarily to evade detection from legacy AV software\r\nand bypass the email gateway, as most are not inspecting or blocking these file types, and no software is required\r\nto mount these disk images as Windows is able to natively mount them. We predict that in 2020, we will continue\r\nto see this trend as RATs become increasingly accessible to cybercriminals.\r\nAdditional Resources\r\nLearn more about the CrowdStrike Falcon® platform by visiting the webpage.\r\nLearn how you can raise your organization’s cybersecurity maturity to the highest level immediately with\r\nCrowdStrike Falcon® CompleteTM.\r\nLearn how you can take advantage of automated malware analysis and sandbox by visiting the\r\nCrowdStrike Falcon SandboxTM webpage.\r\nLearn how CrowdStrike combines automated analysis with human intelligence to enable security teams to\r\nget ahead of the attacker's next move by visiting the CROWDSTRIKE FALCON® INTELLIGENCETM\r\nwebpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nhttps://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/"
	],
	"report_names": [
		"weaponizing-disk-image-files-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434466,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/37bdd4d6b8f3440a0346c3def3d9bcd8e3dc74bd.pdf",
		"text": "https://archive.orkl.eu/37bdd4d6b8f3440a0346c3def3d9bcd8e3dc74bd.txt",
		"img": "https://archive.orkl.eu/37bdd4d6b8f3440a0346c3def3d9bcd8e3dc74bd.jpg"
	}
}