Bypassing perimeter security with VHD files

Security analysts are currently discussing again about creative delivery methods of payloads. For example, it has been observed that right now IcedID is dropped via ISO files. This situation gives us — as defenders — one more time some ammunition to strengthen our (perimeter) security and to test our security solutions against malware dropping via ISO files.
But do you remember that we had a similar discussion several years ago when we were talking about VHD files that are completely ignored by AV products? Unfortunately, nothing has really changed within the AV industry and VHD files are still not being examined.
Let me show you how attackers can still bypass your (perimeter) security with VHD files and deliver their malware directly on your machine.
Create a loop device first and format it properly:
sudo dd if=/dev/zero of=/tmp/image.raw bs=1M count=5
sudo losetup -P /dev/loop0 /tmp/image.raw
gparted /dev/loop0
- Device -> create partition table and use the defaults (msdos)
- Partition -> New -> create a primary partition and use ntfs as the filesystem
- Edit -> apply all operations
Now drop your payload (an EICAR file in this case) on your newly created filesystem:
mkdir /tmp/img
sudo mount /dev/loop0p1 /tmp/img
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /tmp/img/eicar.com
sudo umount /tmp/img
sudo losetup -d /dev/loop0
And convert your raw image into a VHD file:
VBoxManage convertfromraw image.raw image.vhd --format VHD --variant Fixed
That’s it!
Uploading the VHD file to VirusTotal reveals, that we are still in the same situation as in 2019.

We can download the file to a Windows machine and mount it easily.


I hope, this quick demonstration helps you to improve your security posture and to give you an opportunity to add this scenario to your breach and attack simulations. I am quite sure that there are still multiple delivery methods besides ISO and VHD.