Cybercrime, Fraud Management & Cybercrime, Malware as-a-Service
Attackers use NanoCore Malware as part of the campaign
Akshaya Asokan (asokan_akshaya) •
March 13, 2021
New malspam campaign delivers remote access Trojan NanoCore as Adobe malicious image to capture victims, new report by security company Find Trustwave.
See also: Top 50 Security Threats
The campaign begins with the attackers sending an email with attachments called “NEW PURCHASE ORDER.pdf * .zipx.” The link is an Abobe image file in RAR format, which, when unzipped with WinRAR or 72ip, downloads the NanoCore Trojan on the victim’s device.
The reason behind the campaign is to hide the malware from anti-malware and email scanners by abusing the “.zipx” link file format, which in this case as an Icon file with added surprise, “the report notes.
NanoCore Capabilities
NanoCore RAT, also known as Nancrat, has been active since 2013. The malware is designed to steal information from PCs such as passwords and emails. It is also possible to access, modify and access copies of any files on the PC and activate webcams to spy on victims, as well as record keystrokes.
Since the malware was active, NanoCore RAT has been linked to attacks in at least 10 countries, including the 2015 attacks against energy companies in the Middle East and Asia.
In 2018, Taylor Huddleston, a developer from Arkansas, was sent to service for more than two years in prison for developing and selling malware and malware circulating machines. He pleaded guilty to allegations of aiding and abetting computer attacks for the development, marketing and distribution of NanoCore RAT as well as other snoring (see: The developer of ‘NanoCore RAT’ will receive a 33-month prison sentence).
Although the malware author was convicted, NanoCore was actively used by other threat actors. For example, in April 2020, security company Cisco Talos discovered a malspam campaign launched by NanoCore using hosting sites like Pastebin to host their infectious components.
Similar initiatives
Other hacking campaigns have also used similar tactics to exploit malware.
For example, in May 2020, researchers at the security company Malwarebytes discovered a campaign that hid malicious JavaScript hackers in the “favicon” images of several e-commerce websites to steal payment card data from hackers. -purchase (see: JavaScript climbers found hidden in ‘Favicon’ Icons).
Another campaign reported by Trustwave found that attackers hid the payment burden as a PNG image.