Rewterz Threat Alert – Double Loaded Zip File Delivers Nanocore

Severity

Medium

Analysis Summary

A new email campaign is being used to distribute the NanoCore RAT via a uniquely-formatted ZIP archive attachment. The courier-themed email claims to be from an Export Operation Specialist of USCO Logistics and requests that the user open a ZIP attachment attempting to masquerade as a PDF. However, unlike typical ZIP archives, this attachment has two End of Central Directory (EOCD) records, indicating a second ZIP structure contained within the same archive. Based on analysis, it was determined that the first structure extracts to a benign PNG image, while the second extracts to an executable. The executable is the NanoCore RAT version 1.2.2.0, which was released just a few months ago. The researchers ran tests in order to determine how different archiving tools would handle this oddly-formatted ZIP archive. Five different common archiving tools were tested and the version of the tool also impacted the results. Two of the tested tools were unable to recognize the file as a valid archive. Of the remaining tools, most extracted the executable while one extracted the benign PNG. This technique of using two ZIP structures with a benign file as the first structure may be successful in bypassing email gateways depending on how the gateways analyze ZIP archives. However, even if they bypass security mechanisms, the success of the delivery also depends on the archiving tool and version used by the recipient.

Impact

Complete control of the compromised machine.

Indicators of Compromise

IP

194[.]5[.]98[.]85

SHA1

• 9474e1517c98d4165300a49612888d16643efbf6
• 06b80f9a0fba1d830dcf2ecf225ed1d19060589a
• 0429b924e7cdbaf9f9b6aec6744eda19e8131d08

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.