Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service

New Attack Uses Fake Icon to Deliver Trojan

Attackers Deploy NanoCore Malware as Part of Campaign
New Attack Uses Fake Icon to Deliver Trojan
Email sample containing a .zipx attachment (Source: Trustwave)

A new malware spam email campaign is delivering the NanoCore remote access Trojan as a malicious Adobe icon to infect its victims, a new report by security firm Trustwave finds.

See Also: Global Threat Report 2024: Executive Summary

The campaign begins with the attackers sending an email with an attachment called "NEW PURCHASE ORDER.pdf*.zipx." The attachment is an Adobe image file in RAR format, which, when unzipped using WinRAR or 7-Zip, downloads the NanoCore Trojan onto the victims' device.

"The motive behind the campaign is to hide the malicious executable from anti-malware and email scanners by abusing the file format of the ".zipx" attachment, which in this case is an Icon file with added surprises," the report notes.

NanoCore Capabilities

NanoCore RAT, also known as Nancrat, has been active since 2013. The malware is designed to steal information, such as passwords and emails, from PCs. It's also capable of accessing, modifying and obtaining copies of any files on the PC and activating webcams to spy on victims, as well as logging keystrokes.

Since the malware has been active, NanoCore RAT has been tied to attacks in at least 10 countries, including 2015 attacks against energy firms in the Middle East and Asia.

In 2018, Taylor Huddleston, an Arkansas developer, was sentenced to serve more than two years in prison for developing and selling malware and malware distribution tools. He pleaded guilty to charges of aiding and abetting computer intrusions for developing, marketing and distributing NanoCore RAT as well as another strain (see: 'NanoCore RAT' Developer Gets 33-Month Prison Sentence).

Although the malware's author has been sentenced, NanoCore has been actively deployed by other threat actors. For example, in April 2020, security firm Cisco Talos uncovered a malspam campaign that deployed NanoCore using hosting sites such as Pastebin to host its infection components.

Similar Campaigns

Other hacking campaigns have also used similar tactics to deploy malware.

For instance, in May 2020, researchers at security firm Malwarebytes uncovered a campaign that hid malicious JavaScript skimmers in the "favicon" icons of several e-commerce websites to steal payment card data from customers (see: JavaScript Skimmers Found Hidden in 'Favicon' Icons).

Another campaign reported by Trustwave found that attackers were hiding the payload as a PNG image.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.