Malicious ISO File Used in Romance Scam Targeting German Speakers

A recent cyberattack campaign is preying on German speakers with a deceptive adult-themed and romance scam to deliver malware. The sophisticated operation leverages a legitimate traffic distribution system (TDS) called Keitaro TDS to redirect unsuspecting victims to malicious domains. This campaign was discovered by the security research firm Sublime Security, and they exclusively shared their findings with Hackread.com.

Report authors, Sublime Security’s detection engineer Bryan Campbell and threat researcher Brian Baskin, explained that the emails involved in this campaign use enticing language and offer links to explicit content, aiming to draw the recipient in.

A key warning sign identified by Sublime’s AI-powered detection engine was the inclusion of a password for a protected archive directly within the email – a highly unusual practice for legitimate communications. Furthermore, the emails often came from unfamiliar senders with inconsistent names, email addresses, and reply-to details.

How the Attack Works

Victims receive emails containing two malicious links. One is embedded in a video preview image, while the other points to an archive file. If a user clicks these links, the system first checks if their location is in Germany. If so, a large 300MB ISO file, acting as a malicious payload, is quietly downloaded from a Russia-based server in the background.

The attackers’ use of Keitaro TDS is crucial. This system allows cybercriminals to precisely target victims, ensuring only individuals from specific regions, like Germany, and even during certain hours, are exposed to the malicious content. This precision helps attackers increase their success rate by tailoring their approach to a specific audience.

The Hidden Threat Within

Once downloaded, the ISO file is designed to evade detection. After removing extra junk data, the remaining content is a standard container that can be mounted as a drive. This drive then holds another large executable file, “lovely_photos.exe,” and a text document with the password for a self-extracting archive.

Upon execution, the malware prompts for a password, conveniently provided in the original email and the extracted text file. This initiates the extraction of multiple files, including explicit images and other files, into the user’s temporary directory. A batch script then runs, building an AutoIt interpreter to execute a highly disguised AutoIt script.

AutoIt is a legitimate scripting language, but here it’s weaponised. This script further attempts to bypass antivirus software by checking for running services and delaying its execution.

The final AutoIt script, heavily obscured, then establishes persistence by creating a Windows scheduled task named DragonMapper, ensuring the malware runs every time the user logs in. This research serves as a vital reminder that threat actors can create highly targeted campaigns, delivering tailored messages for a higher success rate.