Team: Huntress EDR
Product: Disk Image File (ISO, IMG, VHD, VHDX)
Summary: Huntress suggests modifying the default option for accessing disk image files from "mount" to "burn disc image" within Windows to help mitigate the threat of malicious actors.
In Feb, 2022, Microsoft announced that they planned to modify the default behavior of macros in Office documents downloaded from the Internet, with the intent of inhibiting or obviating attacks that used this technique (i.e., getting a user to open and enable macros in a weaponized MSWord document or Excel spreadsheet). Shortly thereafter, we began to see (as have others) an increase in threat actors moving to an alternate technique, sending disk image (.ISO, .IMG,.VHD,.VHDX) files, often inside a ZIP archive. These disk image files bypassed mark-of-the-web (MOTW) “protections”, as the MOTW was not propagated to files within the disk image file. It should be noted that Microsoft has fixed this issue, and MOTW is reportedly now propagated within disk image files. This technique for delivering malware has been observed being used by threat actors intent upon infecting systems with Qakbot, a banking Trojan known to be leveraged for further infections.
The default behavior when accessing disk image files, either via right-clicking to raise the context menu (as illustrated in figure 1), or double-clicking on the file, is to mount the file, making it accessible as an additional volume.
Figure 1: Right-click Context Menu
Choosing “Mount” from the context menu, or double-clicking, results in the disk image file being mounted as a new volume, as illustrated in figure 2.
Figure 2: ISO file mounted as D:\
Threat actors rely on unsuspecting users to automatically mount the disk image file, and then double-click a file within the new volume, such as a Windows shortcut (LNK) file. However, these attacks can be inhibited or even obviated by modifying the default behavior for these files types, as described in a blog post titled, “Blocking ISO Mounting”.
The simplest way to implement this prevention mechanism on a single system is to open the Registry Editor and navigate to the HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount subkey. Within this key, add a new “REG_SZ” value named “ProgrammaticAccessOnly”, as illustrated in figure 3. You do not need to add any data to this new value.
Figure 3: New Registry value added
Once this new value has been added, you do not need to reboot the system for the setting to take effect. After we add the value, right-clicking on the disk image file results in a context menu where the default option is no longer “Mount”, but is instead “Burn disc image”, as illustrated in figure 4.
Figure 4: Context menu with “Burn disc image” option
The command line to add this value, using the native Windows utility "reg.exe" is:
reg add HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount /v ProgrammaticAccessOnly /t REG_SZ
For VHD/VHDX files, adding the “ProgrammaticAccessOnly” value (just the value name, no data required) to the HKEY_CLASSES_ROOT\Windows.VhdFile\shell\mount subkey will have the same effect, preventing users from automatically mounting the disk image file by double-clicking, or right-clicking and choosing “Mount”. However, users will still be able to access the disk image files through the use of an application.
The result of this new value is that the default option for disk image files, with either .iso or .img file extensions, is no longer to mount the image, but instead to attempt to “burn” the image to a CD or DVD. No longer being able to automatically mount disk image files means that users will now have access to the contents of the image files via a program that accesses the image files.
Organizations should strongly consider modifying systems to obviate this access method. If there is a critical business need for users to directly access disk image files, then organizations should strongly consider limiting such access to specific, identified systems, and should also strongly consider prohibiting users from accessing email via those systems.