Container File Abuse (ISO, IMG, LNK)

Timeline: The Cat and Mouse

2018 ← Attack emerges → 2022 ← Industry responds → 2023 ← Attackers adapt → Present

The Evolution

Phase	Period	What Happened
ATTACK	2018	ISO MOTW gap discovered - files inside mounted containers lack Zone.Identifier
	2021	NOBELIUM (Russia) uses ISO delivery in targeted attacks
PEAK	Feb 2022	Microsoft blocks macros by default - attackers need new delivery method
	Q2 2022	Mass pivot: QakBot, Emotet, IcedID shift to ISO/LNK delivery
RESPONSE	Nov 2022	Microsoft patches CVE-2022-41091 - MOTW now propagates to ISO contents
	2022	Email gateways begin blocking ISO/IMG attachments
ADAPTATION	Jan 2023	Attackers pivot to OneNote embedded files
	Apr 2023	Microsoft blocks dangerous file types in OneNote
CURRENT	2024+	Password-protected archives, HTML smuggling, nested containers

Key Events with Sources

Date	Event	Significance	Source
2018	ISO MOTW gap identified	Files inside mounted ISOs lack Zone.Identifier	Outflank Research
Feb 2022	Microsoft announces macro blocking	VBA macros from internet blocked by default	Microsoft Docs
Q2 2022	Mass pivot to ISO/LNK	QakBot, Emotet, IcedID shift delivery methods	Proofpoint
Nov 2022	CVE-2022-41091 patched	MOTW now propagates to ISO/IMG contents	Microsoft MSRC
Jan 2023	OneNote abuse surge	Attackers pivot after ISO patch	Bleeping Computer
Apr 2023	OneNote embedded files blocked	Microsoft restricts dangerous file types in OneNote	Microsoft
2024	Continued adaptation	Password-protected archives, HTML smuggling combinations	Cofense

Overview

Mark-of-the-Web (MOTW) tags files downloaded from the internet, triggering security warnings and Protected View in Office. Container files (ISO, IMG, VHD) historically didn’t propagate MOTW to their contents. When Microsoft blocked macros by default in February 2022, attackers immediately pivoted to container-based delivery, exploiting this gap until Microsoft patched it in November 2022.

The Attack

Mark-of-the-Web Background

When you download a file, Windows adds an alternate data stream:

file.exe:Zone.Identifier
[ZoneTransfer]
ZoneId=3  (Internet)

This MOTW triggers:

SmartScreen warnings before execution
Protected View in Office
Macro blocks in Office
Security prompts

The Container Bypass (Pre-Patch)

Victim downloads: malware.iso (has MOTW)
Victim double-clicks ISO (Windows mounts as virtual drive)
Files INSIDE ISO → No MOTW!
payload.exe runs without any security warning

The MOTW didn’t propagate into the mounted container—a gap that existed for years but became critical once macros were blocked.

Attack Chain

┌─────────────────────────────────────────────────────────────┐
│ EMAIL                                                        │
│                                                              │
│ Subject: Invoice #2024-1234                                  │
│ Attachment: Invoice_Details.iso (or .img)                    │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│ ISO FILE CONTENTS                                            │
│                                                              │
│ E:\                                                          │
│ ├── Invoice.lnk          ← Visible, looks like document      │
│ ├── payload.dll          ← Hidden file                       │
│ └── data.txt             ← Decoy content                     │
│                                                              │
│ Invoice.lnk executes:                                        │
│ rundll32.exe payload.dll,EntryPoint                          │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
┌─────────────────────────────────────────────────────────────┐
│ EXECUTION                                                    │
│                                                              │
│ - No MOTW on extracted files                                 │
│ - No SmartScreen warning                                     │
│ - No Protected View                                          │
│ - DLL executes immediately                                   │
└─────────────────────────────────────────────────────────────┘

Container Types Abused

Format	Extension	Mount Behavior	MOTW Status (Pre-Patch)
ISO 9660	.iso	Auto-mount as drive	No propagation
IMG	.img	Auto-mount as drive	No propagation
VHD/VHDX	.vhd, .vhdx	Mount as drive	No propagation
ZIP	.zip	Depends on extractor	Inconsistent
7z	.7z	Depends on extractor	Often stripped
RAR	.rar	Depends on extractor	Often stripped

LNK File Abuse

Shortcut (LNK) files were ideal for container payloads:

Execute arbitrary commands
Display trusted icons (Word, PDF, etc.)
Named with misleading extensions
Not blocked like EXE attachments

LNK Obfuscation Techniques:

Icon Spoofing:

Visible Properties:
  Target: Invoice.pdf
  Icon: PDF document icon

Actual Command:
  C:\Windows\System32\cmd.exe /c powershell -ep bypass -w hidden -e [BASE64]

Environment Variable Abuse:

Target: %ComSpec% /c calc.exe
       → Expands to C:\Windows\System32\cmd.exe /c calc.exe

Path Padding (UI Truncation):

Target: C:\Windows\System32\cmd.exe                    [256 spaces] /c malware.exe
                                                       ↑
                                               Truncated in properties UI

Real-World Campaigns

QakBot (2022):

HTML attachment → Downloads ISO → Contains LNK + DLL
LNK runs: regsvr32.exe payload.dll

Source: Proofpoint - QakBot Evolves

IcedID:

ISO file → Contains LNK disguised as document
LNK runs: rundll32.exe data.dll,update

Source: Elastic Security - IcedID Analysis

Bumblebee:

ISO file → Contains LNK + hidden folder with loader
LNK runs: PowerShell downloads next stage

Source: Google TAG - Bumblebee Loader

Emotet Return (2022):

Pivoted from macros to ISO after 10-month hiatus
LNK files invoking regsvr32 → Later moved to OneNote

Source: CISA - Emotet

Raw Email Headers (Container Delivery)

Typical phishing email delivering ISO container:

Return-Path: <invoice@supplier-invoices.com>
Received: from mail.supplier-invoices.com (mail.supplier-invoices.com [198.51.100.55])
        by mx.target.com (Postfix) with ESMTPS id ISO001
        for <accounts@target.com>; Thu, 30 Jan 2025 10:15:22 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=supplier-invoices.com; s=mail;
        h=from:to:subject:date;
        bh=container123...;
        b=isosig456...
Authentication-Results: mx.target.com;
        dkim=pass header.d=supplier-invoices.com;
        spf=pass smtp.mailfrom=invoice@supplier-invoices.com;
        dmarc=pass (p=REJECT) header.from=supplier-invoices.com
From: "Accounts Payable" <invoice@supplier-invoices.com>
To: accounts@target.com
Subject: Invoice #INV-2025-0130 - Payment Required
Date: Thu, 30 Jan 2025 10:15:18 -0500
Message-ID: <iso-delivery-001@supplier-invoices.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="container-boundary"

--container-boundary
Content-Type: text/plain; charset=UTF-8

Please find attached the invoice for January services.

Best regards,
Accounts Payable

--container-boundary
Content-Type: application/x-iso9660-image; name="Invoice-INV-2025-0130.iso"
Content-Disposition: attachment; filename="Invoice-INV-2025-0130.iso"
Content-Transfer-Encoding: base64

[Base64-encoded ISO containing LNK and malware]
--container-boundary--

Key observations:

Authentication passes for attacker’s cousin domain
ISO attachment with invoice-themed filename
User mounts ISO, sees “Invoice.lnk” with document icon
Clicking LNK executes hidden payload
No MOTW warnings (pre-patch)

The Response

Microsoft MOTW Propagation Fix (November 2022)

CVE-2022-41091: Windows Security Feature Bypass

Microsoft patched Windows to propagate MOTW to mounted container contents:

MOTW now propagates into mounted ISOs/IMGs
Contents inherit Zone.Identifier
SmartScreen warnings restored

Source: Microsoft Security Update Guide

CVE-2022-44698: Additional MOTW bypass patched in December 2022.

Email Gateway Blocking

Organizations began blocking container file types at the email gateway:

Block attachments:
- *.iso, *.img, *.vhd, *.vhdx
- *.lnk (shortcuts in email = always suspicious)
- Nested: *.zip containing *.iso
- Password-protected containers

Group Policy Controls

Disable auto-mounting for organizations:

Computer Configuration → Administrative Templates →
Windows Components → File Explorer →
"Do not allow mounting of virtual disks" = Enabled

Attacker Adaptation

OneNote Pivot (January 2023)

When ISO was patched, attackers immediately moved to OneNote:

.one file with embedded VBS/HTA/BAT
User double-clicks "attachment" icon
Script executes without MOTW warning

Timeline:

January 2023: OneNote abuse begins
April 2023: Microsoft blocks dangerous file types in OneNote

Source: Microsoft - Blocked file extensions in OneNote

HTML Smuggling + Containers

Combining techniques to evade gateway blocking:

HTML attachment → JavaScript constructs ISO blob
→ ISO downloaded locally (may bypass MOTW depending on browser)
→ User manually opens downloaded ISO

Double-Packaging / Nested Containers

outer.zip (MOTW on ZIP)
└── inner.iso (might lose MOTW on extraction)
    └── payload.lnk → malware (no MOTW)

Password-Protected Containers

Email body: "Password: invoice2024"
Attachment: protected.zip
└── malware.iso
    └── payload

Gateway can’t scan contents; user extracts manually.

New Container Formats

After ISO/IMG heavily signatured:

7z archives
RAR with extensions
CAB files
UDF images
WIM (Windows Imaging Format)

Current State

Status: Active (Adapting)

Container abuse continues with adaptations:

Vector	Current Status	Bypass Method
ISO/IMG	Patched (MOTW)	Password protection, HTML smuggling
VHD/VHDX	Patched	Less commonly blocked than ISO
LNK	Active	Sent via links, other containers
OneNote	Patched (2023)	Brief window of effectiveness
ZIP+ISO nested	Blocked by many	Some gateways miss nested containers
Password-protected	Active	Cannot be scanned by gateways

The Pattern

This attack demonstrates a common cat-and-mouse pattern:

Defense kills primary vector (macro blocking)
Attackers find gap in defense (MOTW doesn’t propagate)
Mass pivot to new vector (ISO/LNK becomes dominant)
Industry responds (MOTW patch, gateway blocking)
Attackers adapt again (OneNote, nested containers, password protection)

Detection Guidance

Email Analysis

Flag emails with:

ISO, IMG, VHD, VHDX attachments
Nested containers (ZIP with ISO inside)
Password-protected archives with passwords in body
Container files from external senders

Endpoint Monitoring

Watch for:

ISO/IMG mount events from email downloads
LNK execution from mounted drives or unusual paths
rundll32/regsvr32 loading DLLs from mounted volumes
PowerShell spawned from LNK parent process

SIEM Queries

Container mount from email:

event.type = "file_mount"
AND file.extension IN ("iso", "img", "vhd")
AND source.path CONTAINS "Downloads" OR source.path CONTAINS "Outlook"

Suspicious execution from mounted drive:

process.parent.name = "explorer.exe"
AND process.name IN ("powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe")
AND process.command_line CONTAINS drive_letter
AND drive_letter.type = "mounted_iso"

LNK spawning suspicious process:

process.parent.command_line CONTAINS ".lnk"
AND process.name IN ("powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe")

Policy Recommendations

Block ISO/IMG/VHD/VHDX at email gateway
Block LNK files in email attachments (never legitimate)
Disable auto-mount via GPO if business doesn’t require it
Ensure all Windows systems have MOTW patches applied
Train users on container file risks
Monitor for password-protected archive + password in body pattern

Defense	Introduced	Impact
Mark-of-the-Web Propagation	2022	Windows propagates MOTW to ISO/IMG contents (CVE-2022-41091)
ISO/IMG Attachment Blocking	2022	Email gateways block disk image attachments by default
VHD/VHDX Restrictions	2023	Additional container formats blocked at gateway
LNK File Restrictions	2023	Enhanced scrutiny on shortcut file execution from containers