Both NanoCore and LokiBot are Info-stealing Trojans.
Security researchers at the San Francisco-based firm Netskope have discovered a new malware campaign distributing the info-stealer malware LokiBot and NanoCore via ISO image file attachments that appear to be an invoice.
It is noteworthy that LokiBot malware was discovered back in October 2017 and is equipped with capabilities like turning itself into ransomware if the victim tries to remove it from their system.
As for NanoCore, it is a data-stealing RAT discovered in April 2016 targeting Steam users and critical cyber infrastructure in the US and S.Korea. Another interesting fact about NanoCore is that its author 27-year-old Taylor Huddleston (“Aeonhack” on HackForums) was arrested in March 2017 and pleaded guilty in to developing NanoCore malware and admitted that he intended the product to be used maliciously.
There is a growing trend in using LokiBot as the delivery payload across a wide range of spam campaigns. The current version of Loki is similar to its previous versions, with only slight modifications in the anti-reversing techniques implemented in the bot, Netskope researchers said in their blog post.
A similar campaign was identified back in August 2018 but this campaign is different because it is making use of ISO disk image file attachments in malicious emails to hide two dynamic and equally notorious info-stealer trojans simultaneously.
According to Netskope researchers, the infected spam emails were firstly discovered in April 2019; these emails contained a generic message sent to random victims. The message provided details of an invoice and an ISO file attachment was also part of the email, which actually was infected with the abovementioned payload and RAT.
The campaign’s number and type of victims haven’t been disclosed by researchers as yet but it is suspected that the campaign isn’t targeted towards any particular community, user-base or enterprises but attackers are randomly sending out spammed emails to claim as many victims as possible.
The file size in the emails ranges between 1-2MB, which is a rather unconventional size for ISO images as these normally come in much larger sizes such as 100MB or above. If the recipient of the email clicks on the attachment, other operating systems will detect and mount the image automatically since ISO files are usually whitelisted in the scanning software.
For your information, an ISO image file contains the full contents of an optical disk, that it, it contains full information of the data that will be written to an optical disk. Netskope has identified ten different variants of this campaign and every variant makes use of ISO images infected with either NanoCore or LokiBot.
The version of LokiBot that’s part of this campaign is a bit different as it has many new procedures such as the IsDebuggerPresent() function that evaluates if it is loaded in a debugger, and the CloseHandle() and GetProcessHeap() to measure computational time lapse if running in a VM.
Furthermore, LokiBot, if running, can steal browsing data from 25 different web browsers, credentials from 15 different file transfer and email clients, and inspect the system for common remote admin tools like RDP, SSH, and VNC.
Conversely, the campaign uses a cracked version of Taylor Huddlestone’s NanoCore RAT that uses AutoIT script as the wrapper for its .NET compiled binary. After decompiling, the obfuscated AutoIT script creates the .NET binary. It collects keystrokes, clipboard data, and information about the files stored on the system and exfiltrates the data using FTP.
The campaign is a clear proof that threat actors are constantly trying to innovate their tactics. They have designed a malware campaign using new and old techniques, perhaps to stay “relevant,” researchers believe.
“Choosing an image file as an attachment indicates that they are intending to defeat email filters and scanners who generally whitelist such file types,” stated Netskope researchers on Tuesday.