Cybercrime , Fraud Management & Cybercrime , Malware as-a-Service
New Attack Uses Fake Icon to Deliver Trojan
Attackers Deploy NanoCore Malware as Part of CampaignA new malware spam email campaign is delivering the NanoCore remote access Trojan as a malicious Adobe icon to infect its victims, a new report by security firm Trustwave finds.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
The campaign begins with the attackers sending an email with an attachment called "NEW PURCHASE ORDER.pdf*.zipx." The attachment is an Adobe image file in RAR format, which, when unzipped using WinRAR or 7-Zip, downloads the NanoCore Trojan onto the victims' device.
"The motive behind the campaign is to hide the malicious executable from anti-malware and email scanners by abusing the file format of the ".zipx" attachment, which in this case is an Icon file with added surprises," the report notes.
NanoCore Capabilities
NanoCore RAT, also known as Nancrat, has been active since 2013. The malware is designed to steal information, such as passwords and emails, from PCs. It's also capable of accessing, modifying and obtaining copies of any files on the PC and activating webcams to spy on victims, as well as logging keystrokes.
Since the malware has been active, NanoCore RAT has been tied to attacks in at least 10 countries, including 2015 attacks against energy firms in the Middle East and Asia.
In 2018, Taylor Huddleston, an Arkansas developer, was sentenced to serve more than two years in prison for developing and selling malware and malware distribution tools. He pleaded guilty to charges of aiding and abetting computer intrusions for developing, marketing and distributing NanoCore RAT as well as another strain (see: 'NanoCore RAT' Developer Gets 33-Month Prison Sentence).
Although the malware's author has been sentenced, NanoCore has been actively deployed by other threat actors. For example, in April 2020, security firm Cisco Talos uncovered a malspam campaign that deployed NanoCore using hosting sites such as Pastebin to host its infection components.
Similar Campaigns
Other hacking campaigns have also used similar tactics to deploy malware.
For instance, in May 2020, researchers at security firm Malwarebytes uncovered a campaign that hid malicious JavaScript skimmers in the "favicon" icons of several e-commerce websites to steal payment card data from customers (see: JavaScript Skimmers Found Hidden in 'Favicon' Icons).
Another campaign reported by Trustwave found that attackers were hiding the payload as a PNG image.