A new email campaign is being used to distribute the NanoCore RAT via a uniquely-formatted ZIP archive attachment. The courier-themed email claims to be from an Export Operation Specialist of USCO Logistics and requests that the user open a ZIP attachment attempting to masquerade as a PDF. However, unlike typical ZIP archives, this attachment has two End of Central Directory (EOCD) records, indicating a second ZIP structure contained within the same archive. Based on analysis, it was determined that the first structure extracts to a benign PNG image, while the second extracts to an executable. The executable is the NanoCore RAT version 220.127.116.11, which was released just a few months ago. The researchers ran tests in order to determine how different archiving tools would handle this oddly-formatted ZIP archive. Five different common archiving tools were tested and the version of the tool also impacted the results. Two of the tested tools were unable to recognize the file as a valid archive. Of the remaining tools, most extracted the executable while one extracted the benign PNG. This technique of using two ZIP structures with a benign file as the first structure may be successful in bypassing email gateways depending on how the gateways analyze ZIP archives. However, even if they bypass security mechanisms, the success of the delivery also depends on the archiving tool and version used by the recipient.
Complete control of the compromised machine.