A new phishing campaign is discovered using a ZIP file that was designed to bypass secure email gateways to distribute the NanoCore RAT. It’s a spam email pretending to be shipping information from an Export Operation Specialist of USCO Logistics. It looked suspicious as the ZIP’s file size was greater than its uncompressed content. Below is the email body emphasizing on the attachment.
After the first EOCD comes some extra data – another ZIP file structure. It turns out that the first ZIP structure is for the image file “order.jpg” while the second one is for an executable file “SHIPPING_MX00034900_PL_INV_pdf.exe“. The image file is benign while the “SHIPPING_MX00034900_PL_INV_pdf.exe“ is a NanoCore RAT. This remote access trojan has the capability that allows an attacker to completely take control of the compromised machine. It connects to its command and control server at 194.5.98[.]85 on port 11903. This NanoCore RAT is version 126.96.36.199.
TrustWave determined that only certain versions of the PowerArchiver, WinRar, and older 7-Zip utilities properly extracted the NanoCore executable.