Security researchers at Trustwave discovered a new phishing campaign using a specially crafted ZIP file to bypass secure messaging gateways to distribute the NanoCore RAT file.
Users are directed through an email purporting to be shipping information from a USCO Logistics export operations specialist. A ZIP file associated with an email has a larger file size than its uncompressed content.
In a new report, Trustwave explained why the size of the ZIP made its researchers suspicious:
"The attachment "SHIPPING_MX00034900_PL_INV_pdf.zip" displays this message: The ZIP file was much larger in file size than its uncompressed content, and typically the ZIP file size should be less than the uncompressed content, or in some cases ZIP files will be larger than the original files by a reasonable number of bytes."
Suspicious ZIP files
In addition to a special structure that contains the compressed data and information about the compressed files, each ZIP archive also contains a unique EOCD (End of Central Directory) record used to indicate the end of the archive structure.
However, when Trustwave researchers examined the ZIP file attached to the spam email, they found that the ZIP file contained two separate file structures, each with its own EOCD record. A ZIP file should contain only one EOCD record, which shows that the ZIP file created by the attackers has been modified to contain two file structures.
The first ZIP structure acts as a decoy and contains a harmless image file called order.jpg. The second ZIP structure, on the other hand, contained an executable file containing the NanoCore Remote Access Trojan (RAT). Trustwave later determined that the attackers had created this specially crafted ZIP file to bypass secure messaging gateways.
While trying to open the file with the help of various file extraction programs, the researchers discovered that the file was treated differently on a program-by-program basis. Although the Windows-based ZIP extractor indicated that the archive was invalid and did not export it, Trustwave found that some versions of PowerArchiver, WinRar and 7-Zip were able to successfully extract the NanoCore executable.
The technique used by the attackers could allow them to deliver malicious charges capable of bypassing email scanners, but due to the operating mode of the file extraction programs, the number of infected users would be less than the originally planned number.
- Protect your devices from the latest cyber threats with the best antivirus software
Through the bleeding computer