8 November 2019

Hackers deliver NanoCore malware using a creatively crafted ZIP archive


Hackers deliver NanoCore malware using a creatively crafted ZIP archive

Hackers are constantly inventing new ways of distributing malware without them being noticed by security solutions. One such technique has been observed by security researchers at Trustwave in a new phishing campaign leveraging a specially crafted ZIP file, designed to bypass secure email gateways, to distribute the NanoCore RAT.

The structure of a ZIP archive contains compressed data, information about the compressed files and a single “End of Central Directory” (EOCD) record, that delimits the end of the archive structure. The observed campaign used fake shipping information messages purporting to be from an Export Operation Specialist of USCO Logistics. The ZIP file, named “SHIPPING_MX00034900_PL_INV_pdf.zip“, attached to the emails, raised suspicions due to its file size that was significantly greater than that of its uncompressed content. Typically, the researchers explained, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of bytes.

Diving deeper, the researchers found that the ZIP archive contained two distinct archive structures that both had their own EOCD record.

“After the first EOCD comes some extra data – another ZIP file structure. It turns out that the first ZIP structure is for the image file “order.jpg” while the second one is for an executable file “SHIPPING_MX00034900_PL_INV_pdf.exe“. Both are compressed when archived, and both indicate that they are the only file in their ZIP structures as indicated in their local file headers and EOCDs respectively,” Trustwave team said.

The “order.jpg” file is a non-malicious PNG formatted image file, used to hide the content of the other ZIP structure - “SHIPPING_MX00034900_PL_INV_pdf.exe“, which is actually a NanoCore RAT. Using this malware, attackers can completely take control of the compromised machine. In the observed campaign, the hackers utilized NanoCore 1.2.2.0 RAT that has been freely available on the Dark Web just a few months ago.

Attempting to open the archive, the researchers experimented with several file extraction programs and noticed that the archive was treated differently on a program by program basis. While Windows built-in ZIP extractor said the file was invalid and wouldn't extract it, certain versions of PowerArchiver, WinRar and 7-Zip were able to properly extract the NanoCore executable. When the researchers attempted to open the ZIP archive with WinRar version 3.30 the software displayed in its UI the “order.jpg” as the only content of the ZIP attachment, but in reality it extracted “SHIPPING_MX00034900_PL_INV_pdf.exe” executable.

“This sample challenges gateways scanners. Depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the malicious content unnoticed – just like how some of the most popular archiving tools failed to notice the second ZIP structure.” 

“Despite what the gateway does, this attack would only succeed if the message got through the gateway and a particular archive utility is used by the end-user, such as certain versions of PowerArchiver, WinRar, and older 7Zip as described above,” the researchers concluded.

 

 

Back to the list

Latest Posts

Researchers set up fake factory network and watched it attract all sorts of nasties

Researchers set up fake factory network and watched it attract all sorts of nasties

The hackers targeted the honeypot with ransomware, cryptominers, and in some cases attempted to shut down or disrupt systems.
24 January 2020
Windows encryption can be (ab)used by ransomware

Windows encryption can be (ab)used by ransomware

Ironically, concept ransomware takes advantage of a function in Windows designed to protect confidential data from an unauthorized access.
22 January 2020
New JhoneRat malware targets Middle Eastern countries using multiple cloud services

New JhoneRat malware targets Middle Eastern countries using multiple cloud services

The RAT implements anti-VM and anti-analysis tricks to conceal the malicious activities.
22 January 2020