New Attack Uses Fake Icon to Deliver TrojanAttackers Deploy NanoCore Malware as Part of Campaign
A new malware spam email campaign is delivering the NanoCore remote access Trojan as a malicious Adobe icon to infect its victims, a new report by security firm Trustwave finds.
The campaign begins with the attackers sending an email with an attachment called "NEW PURCHASE ORDER.pdf*.zipx." The attachment is an Adobe image file in RAR format, which, when unzipped using WinRAR or 7-Zip, downloads the NanoCore Trojan onto the victims' device.
"The motive behind the campaign is to hide the malicious executable from anti-malware and email scanners by abusing the file format of the ".zipx" attachment, which in this case is an Icon file with added surprises," the report notes.
NanoCore RAT, also known as Nancrat, has been active since 2013. The malware is designed to steal information, such as passwords and emails, from PCs. It's also capable of accessing, modifying and obtaining copies of any files on the PC and activating webcams to spy on victims, as well as logging keystrokes.
Since the malware has been active, NanoCore RAT has been tied to attacks in at least 10 countries, including 2015 attacks against energy firms in the Middle East and Asia.
In 2018, Taylor Huddleston, an Arkansas developer, was sentenced to serve more than two years in prison for developing and selling malware and malware distribution tools. He pleaded guilty to charges of aiding and abetting computer intrusions for developing, marketing and distributing NanoCore RAT as well as another strain (see: 'NanoCore RAT' Developer Gets 33-Month Prison Sentence).
Although the malware's author has been sentenced, NanoCore has been actively deployed by other threat actors. For example, in April 2020, security firm Cisco Talos uncovered a malspam campaign that deployed NanoCore using hosting sites such as Pastebin to host its infection components.
Other hacking campaigns have also used similar tactics to deploy malware.
Another campaign reported by Trustwave found that attackers were hiding the payload as a PNG image.