Trustwave discovered unusual campaign to spread the NanoCore Trojan. In emails, spammers use fake .zipx files, which are actually icons with additional information in .rar format. All of this is intended to make it harder to detect malware and help bypass filters.
Attackers’ emails, as a rule, are written on behalf of the “purchasing manager” of some organization (most often, the mail of the target’s business partner is forged). These phishing emails contain an attachment named “NEW PURCHASE ORDER.pdf * .zipx”, but the file does not meet the .zipx specification. In fact, it is a “surprise icon file,” as the experts put it. That is, it is an image binary with additional information attached in the .rar format – a malicious EXE file that contains a payload.
If the victim falls for the scammers’ bait and clicks on the attachment, and an archiver (WinZip or WinRAR) is installed on his machine, the executable file is extracted. 7Zip can also unpack such a file, but this may require more than one attempt – sometimes the archiver reports an error.
“Analysis of the EXE files shows that they are samples of NanoCore RAT version 126.96.36.199. It creates copies of itself in the AppData folder and injects malicious code into the RegSvcs.exe process, ”the experts write.
Let me remind you that NanoCore was first discovered back in 2013. Having penetrated the system, it collects email addresses and passwords, and also activates the webcams of infected devices. Malware can act as a dropper for additional malware, as well as a platform for creating botnets using infected hosts for DDoS attacks.
It should be noted that the Trojan’s developer, Taylor Huddleston, was convicted in the US back in 2018, however, as you can see, his business is still alive.