Hackers are constantly inventing new ways of distributing malware without them being noticed by security solutions. One such technique has been observed by security researchers at Trustwave in a new phishing campaign leveraging a specially crafted ZIP file, designed to bypass secure email gateways, to distribute the NanoCore RAT.

The structure of a ZIP archive contains compressed data, information about the compressed files and a single “End of Central Directory” (EOCD) record, that delimits the end of the archive structure. The observed campaign used fake shipping information messages purporting to be from an Export Operation Specialist of USCO Logistics. The ZIP file, named “SHIPPING_MX00034900_PL_INV_pdf.zip“, attached to the emails, raised suspicions due to its file size that was significantly greater than that of its uncompressed content. Typically, the researchers explained, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of bytes.

Diving deeper, the researchers found that the ZIP archive contained two distinct archive structures that both had their own EOCD record.

“After the first EOCD comes some extra data – another ZIP file structure. It turns out that the first ZIP structure is for the image file “order.jpg” while the second one is for an executable file “SHIPPING_MX00034900_PL_INV_pdf.exe“. Both are compressed when archived, and both indicate that they are the only file in their ZIP structures as indicated in their local file headers and EOCDs respectively,” Trustwave team said.

The “order.jpg” file is a non-malicious PNG formatted image file, used to hide the content of the other ZIP structure - “SHIPPING_MX00034900_PL_INV_pdf.exe“, which is actually a NanoCore RAT. Using this malware, attackers can completely take control of the compromised machine. In the observed campaign, the hackers utilized NanoCore 1.2.2.0 RAT that has been freely available on the Dark Web just a few months ago.

Attempting to open the archive, the researchers experimented with several file extraction programs and noticed that the archive was treated differently on a program by program basis. While Windows built-in ZIP extractor said the file was invalid and wouldn't extract it, certain versions of PowerArchiver, WinRar and 7-Zip were able to properly extract the NanoCore executable. When the researchers attempted to open the ZIP archive with WinRar version 3.30 the software displayed in its UI the “order.jpg” as the only content of the ZIP attachment, but in reality it extracted “SHIPPING_MX00034900_PL_INV_pdf.exe” executable.

“This sample challenges gateways scanners. Depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the malicious content unnoticed – just like how some of the most popular archiving tools failed to notice the second ZIP structure.” 

“Despite what the gateway does, this attack would only succeed if the message got through the gateway and a particular archive utility is used by the end-user, such as certain versions of PowerArchiver, WinRar, and older 7Zip as described above,” the researchers concluded.