A ZIPX attachment with spam messages is detected distributing malicious file that ultimately led to a NanoCore infection. In earlier campaigns, same method has been used to deliver Lokibot.
The emails, claiming to be from the Purchase Manager of certain organizations that the cybercriminals are spoofing, look like usual malspams except for their attachment. The attachments, which have a filename format “NEW PURCHASE ORDER.pdf*.zipx”, are actually image (Icon) binary files, with attached extra data, which happens to be RAR. If the attachment successfully evades any scanning email gateways, the next hurdle is the victim’s machine, which needs to have an unzip tool that can extract the executable file inside the attachment. The archive utility WinZip and WinRAR yield similar results when extracting the EXE file from the current .zipx files. WinZip does not support unzipping either of samples whereas WinRAR managed to extract the EXE file contained in both samples.