This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Topic 4.8 of Malicious Web & Document Files
Container files (ISO, IMG, VHD) bypass the Mark-of-the-Web because Windows mounts them as drives, stripping the zone identifier from contents. This topic covers the technique, its rise in BumbleBee and Emotet campaigns, the Microsoft November 2022 mitigation, and current analyst workflows for container triage.
By the end of this topic, you will
Quadrant 1 · e-Tutorial
Video content coming soon.
Quadrant 2 · e-Content
Quadrant 3 · Web Resources
Downloadable reference material
External links
Google TAG: BumbleBee Loader Analysis
Google Threat Analysis Group's initial documentation of BumbleBee and its ISO-based delivery.
CVE-2022-41091 — MotW Bypass via ISO
Microsoft's security advisory for the Mark-of-the-Web propagation bypass patched in November 2022.
7-Zip
Extract ISO/IMG contents without mounting. Safer initial extraction in an analysis environment.
Quadrant 4 · Self-Assessment
Malicious Web & Document Files
Covers drive-by download attacks, JavaScript de-obfuscation, malicious PDF analysis, RTF exploitation, and Microsoft Office macro malware.
REMA Complete Assessment
A comprehensive 120-question assessment covering the entire Reverse Engineering and Malware Analysis curriculum: malware taxonomy and reverse engineering fundamentals, static and dynamic analysis, reversing malicious code, malicious web and document files, in-depth analysis of packed and fileless malware, and self-defending malware techniques.