A new malspam campaign is spreading NanoCore, a remote access Trojan (RAT), in icon files, SpiderLabs at Trustwave report.
In a recent phishing campaign, attackers abuse icon files to trick victims into executing the NanoCore Trojan.
The research outlines a technique for spreading NanoCore, a remote access Trojan (RAT).
The attacks start with emails that pretend to be from a “Purchase Manager” of targeted organizations or legitimate business partners. If the victim opens an attachment titled “NEW PURCHASE ORDER.pdf*.zipx,” their PC’s unzipping tool such as WinZip or WinRAR will extract an executable file. 7Zip can extract the file, too, albeit with more than one attempt.
By using an icon file, the fraudsters manage to avoid security checks by email clients.
“There is no need for the extension of the recent attachments to be renamed to something else other than .zipx or .zip just for their executables to be extracted using 7Zip,” the researchers say.
The victim’s PC unpacks image binary files that contain additional information in them in .RAR format.
Successful extraction is followed by the deployment of NanoCore RAT version 188.8.131.52 which was first detected and described in 2013. This Remote Access Trojan (RAT) consists of a keylogger, dropper for additional malware, an information stealer, and has the capability to access and steal webcam footage. It can exfiltrate data to the attacker’s command-and-control (C2) server.
The version of the RAT distributed in icon files can copy itself in the AppData folder and hijack the RegSvcs.exe process.
The technique described by SpiderLabs researchers is similar to past phishing campaigns using this malware in that this time, attackers also use .zipx.
Trustwave researchers previously reported another Trojan, Lokibot, that also could spread in malspam campaigns through a .zipx extension and .JPG icons to compromise cryptocurrency wallets.