Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Phishing Attack’s Unusual File Attachment is a Double-edged Sword

Phishing Attack’s Unusual File Attachment is a Double-edged Sword

A threat actor uses an unusual attachment to bypass security software that is a double-edged sword that may work against them.

As secure email gateways and security software become more advanced and adapt to ever-changing phishing campaigns, threat actors resort to more unusual file formats to bypass detection.

In the past, phishing scams switched to unusual attachments such as ISO files or TAR files which are not commonly found as email attachments.

However, as threat actors adopt new and unusual attachments, cybersecurity companies add further detections to block them.

Using WIM to bypass security

In a new report by Trustwave, researchers explain how a threat actor has begun to utilize WIM (Windows Imaging Format) attachments to distribute the Agent Tesla remote access trojan.

Also Read: The 5 Phases of Penetration Testing You Should Know

“All the WIM files we gathered from our samples contain Agent Tesla malware. This threat is a Remote Access Trojan (RAT) written in .Net which can take full control over a compromised system and can exfiltrate data via HTTP, SMTP, FTP, and Telegram,” explains Trustwave security researcher Diana Lopera in the report.

These campaigns start with phishing emails that pretend to be shipping information from DHL or Alpha Trans, as shown below.

Phishing email distributing WIM files
Source: TrustWave

Included in the emails are .wim attachments (sometimes ending with .wim or .wim.001) designed to bypass security software.

Windows Imaging Format (WIM) files are a file-based disk image format that Microsoft developed to aid in deploying Windows Vista and later operating systems.

WIM files are used to pack an entire drive, with all of its files and folders, into a single file for easy distribution.

As you can see below, when opening one of these WIM attachments in a hex editor, it clearly shows that an executable is enclosed within it.

Hex editing a WIM attachment

However, while WIM files may be less likely to be detected, phishing campaigns that use them have a bigger problem as Windows has no built-in mechanism to open a WIM file.

Therefore, when a user attempts to open the attachment in Windows, they will just be greeted with a message asking them to select the program to open the file, as shown below.

Opening a WIM file in Windows

This file format would then require a recipient to go out of their way and extract the file using a program like 7-zip and then double-click on the file within it, which is highly unlikely to happen.

Also Read: Got Hacked? Here Are 5 Ways to Handle Data Breaches

Extracting WIM file using 7-Zip

Unusual attachments are a double-edged sword

While using an uncommon attachment may bypass some security filters, they are also likely a double-edged sword for the threat actor.

This is because the files will not be opened by most devices that do not have specialized programs, such as 7-zip installed, and recipients who will make that extra effort to extract the files.

“Encapsulating malware in an unusual archive file format is one of the common ways to bypass gateways and scanners. However, this strategy also poses a hurdle – the target system must recognize the file type or at least have a tool which can unpack and process the file,” says Lopera.

“In contrast to the more popular .IMG and .ISO disk image files, WIM files are not supported by Windows built-in ability to mount disk image files. Moreover, the other popular archive utilities WinRAR and WinZip do not recognize the WIM disk image. WIM files can be processed with the widely used 7Zip.”

Secure email gateways will soon block these attachments if not already done. However, if you do run into an email with a WIM attachment, simply delete it as no legitimate email will use this file format.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us