A series of malicious emails with attachments delivering the NanoCore Remote Access Trojan (RAT) is evading email and anti-malware scanners by abusing the .ZIPX file format.
Malware Nanocore
Nanocore is a remote access tool (RAT) first released in 2013, since then various versions have appeared. The malware is written in the .NET framework and uses Transmission Control Protocol (TCP) on any port for communication with its controller.
The NanoCore version 1.2.2.0 malware when executed creates copies of itself in the AppData folder and injects its malicious code into the RegSvcs.exe process
The malware comes with some basic plugins that extend its functionality. Some of the wide range of plugins available for Nanocore provide:
- cryptocurrency mining
- Screen sharing.
- File and password theft and keylogger functionality.
Sample Generator
Malware users only need to run a Windows executable to start the command and control (C2) server and the sample generator which can create a Nanocore binary with the desired configuration.
Building a Nanocore binary from the builder is extremely easy and can be done by simply setting a few options and clicking the Build button.
Summary of capacities
- Download and run additional payloads.
- Install additional plugins.
- Allows remote access.
- Steal data from the browser form.
- Take screenshots.
- Steal stored credentials.
- Records keystrokes.
- He takes pictures with the webcam.
Behavior Summary:
- It uses a persistence mechanism.
- Encrypt controller communication.
- Supports privilege escalation.
NanoCore is malware that is sold on underground forums for a price of $20. This low price combined, as we have seen, with a design focused on ease of use, has meant that cyber actors prefer it for their malware campaigns.
This has contributed to the prevalence of NanoCore for many years among numerous threat actors.
malicious campaign
In an investigation spearheaded by the Trustwave team, they detail a new malspam campaign containing malicious payloads attempting to hide a file with a .ZIPX extension.
Techniques used:
- Phishing – An email with a malicious attachment is sent to the victim.
- Payload Deployment: The user clicks on the attachment and the Trojan loads onto the device without any detection.
- Email compromise: Keylogger is used to steal Office 365 credentials and gain access to financial and other business-critical data.
Attached file
- The attachment containing the email is an icon image file wrapped inside a .RAR package (proprietary archive file format that supports data compression, error recovery, and file extension).
- One file will load the Trojan while the rest are decoys that ensure the malicious content goes unnoticed.
- According to Trustwave researchers, “The attached files, which have a filename format of ‘NEW PURCHASE ORDER.pdf *.zipx’ , are actually binary image (icon) files, with additional data attached, which happens to be . RAR”.
- In order for the malicious payload to be executed, the victim’s computer must have an unzip tool that can extract the attached file, as well as the 7Zip and WinRAR archive tool.
Execution of the file
“NanoCore malware could be installed on the system, if the user decides to run and extract it ,” the researchers explained. “Everything works because various archive utilities do their best to find something to uncompress inside the archives.”
A newer version of the malware (NanoCore 1.2.2.0) when executed creates copies of itself in the AppData folder and injects its malicious code into the RegSvcs.exe process. Following that, it proceeds to steal data from the victim’s computer, including clipboard data, keystrokes, documents, and files. NanoCore is also a modular Trojan that can be modified to include additional plugins, expanding its functionality and performance depending on the needs of the user.
Panorama
The recently reported phishing campaign spreading the NanoCore Trojan is one of multiple campaigns this malware has been involved in, especially via email. The use of social engineering, using a plausible hook, manages to convince a target/victim to open an infected file. In this case, the attackers attempt to use file formats and naming conventions to prevent the user’s anti-malware software from detecting the Trojan. This ability, added to the facilities to create a Nanocore binary with the desired configuration, have placed this malware among the most active during the first quarter of 2021.
Mitigation
The Entel Cyber Intelligence Center recommends the following:
- Generate a custom rule for blocking IOC’s in perimeter incoming profiles.
- Phishing campaigns are characterized by misspellings or design errors. Check the content carefully, and be wary of emails with imperfections.
- Be wary of alarming emails. If a message directs or encourages you to make hasty or time-limited decisions, it is probably phishing.
- Enter the official sites of the institution to which you are affiliated, carry out all your procedures from there, it is safer than using a link in the mail, WhatsApp or SMS.
- Do not click on any link or download any file in an email if you cannot independently verify the source. And even if the email is from a trusted source, check with them to see if they actually sent it.
- Do not respond to unsolicited emails from strangers and especially if they ask you to provide any personal information.
- Scan all attached files, before opening them, with an antivirus that detects behaviors to combat ransomware.
- Update Windows computers to the latest versions.
- Never follow the instruction to disable security features, if an email or document asks for it.
- Have anti-spam systems for emails, thus reducing the chances of infection through massive email malspam campaigns.
