New ‘NanoCore’ Campaign Abuses .ZIPX File Extension to Propagate
NanoCore is a high-risk RAT that provides attackers with details on the device name and OS. This information is used to carry out various malicious activities, such as manipulating confidential files, hijacking webcam and microphone, stealing login credentials and more. Threat actors have been known to send malicious emails with attachments delivering the NanoCore RAT and have found a way to evade anti-malware and email scanners by abusing the .ZIPX file format.
Researchers at Trustwave have uncovered a new campaign that is hiding a malicious executable by giving it a .ZIPX file extension, which is used to denote that a .ZIP archive format is compressed using the WinZip archiver. In reality, the appended file is an Icon image file wrapped inside a .RAR package. .RAR is a proprietary archive file format that supports data compression, error recovery and file spanning.
“The emails, claiming to be from the purchase manager of certain organizations that the cybercriminals are spoofing, look like usual [malicious spam emails] except for their attachment,” according to a Trustwave blog, published on Thursday. “The attachments, which have a filename format ‘NEW PURCHASE ORDER.pdf*.zipx,’ are actually image (Icon) binary files, with attached extra data, which happens to be .RAR.”
In order for this attack to be successful, the victim’s machine needs to have an unzip tool that can extract the executable file inside the attachment. Enclosing the executable into a .RAR archive instead of a .ZIP file makes this more likely; it means that the file can be extracted by the popular archiving tool 7Zip, as well as WinRAR. 7Zip recognizes the .ZIPX files as Rar5 archives and can thus unpack its contents.
The malware more specifically is NanoCore version 1.2.2.0. When executed, it creates copies of itself at the AppData folder and injects its malicious code at RegSvcs.exe process, according to the analysis. From there, it sets about stealing data from the victim’s machine, including clipboard data, keystrokes, documents and files. NanoCore is also a modular trojan that can be modified to include additional plugins, expanding its functionality and performance based on the user’s needs.
Previous campaigns, including one in 2019 that delivered the Lokibot malware, have made use of the .ZIPX tactic.
Further Reading: