• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Sodinokibi Ransomware Targeting Asia via the RIG Exploit Kit
November 12, 2019
Rewterz Threat Advisory – ICS: Siemens SINAMICS (Update A) Multiple Vulnerabilities
November 13, 2019

Rewterz Threat Alert – Double Loaded Zip File Delivers Nanocore

November 13, 2019

Severity

Medium

Analysis Summary

A new email campaign is being used to distribute the NanoCore RAT via a uniquely-formatted ZIP archive attachment. The courier-themed email claims to be from an Export Operation Specialist of USCO Logistics and requests that the user open a ZIP attachment attempting to masquerade as a PDF. However, unlike typical ZIP archives, this attachment has two End of Central Directory (EOCD) records, indicating a second ZIP structure contained within the same archive. Based on analysis, it was determined that the first structure extracts to a benign PNG image, while the second extracts to an executable. The executable is the NanoCore RAT version 1.2.2.0, which was released just a few months ago. The researchers ran tests in order to determine how different archiving tools would handle this oddly-formatted ZIP archive. Five different common archiving tools were tested and the version of the tool also impacted the results. Two of the tested tools were unable to recognize the file as a valid archive. Of the remaining tools, most extracted the executable while one extracted the benign PNG. This technique of using two ZIP structures with a benign file as the first structure may be successful in bypassing email gateways depending on how the gateways analyze ZIP archives. However, even if they bypass security mechanisms, the success of the delivery also depends on the archiving tool and version used by the recipient.

Email sample

Impact

Complete control of the compromised machine.

Indicators of Compromise

IP

194[.]5[.]98[.]85

SHA1

  • 9474e1517c98d4165300a49612888d16643efbf6
  • 06b80f9a0fba1d830dcf2ecf225ed1d19060589a
  • 0429b924e7cdbaf9f9b6aec6744eda19e8131d08

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.