An ongoing spam campaign has been spotted using ISO disk image file attachments to disguise various information-stealing trojans, including LokiBot and NanoCore.
Researchers said that they first spotted the malware-laced spam emails being distributed in April 2019. Spam sent to victims claim to be a generic message about an invoice for the victim and include an ISO file as an attachment. In reality, the attachment contains various payloads – including the LokiBot and NanoCore remote access trojan.
“Malspam campaign continues to mix and match various new and old techniques to stay relevant,” NetSkope researchers said in a Tuesday analysis. “Choosing an image file as an attachment indicates that they are intending to defeat email filters and scanners who generally whitelist such file types.”
Researchers did not give further details about the number and type of victims in the campaign, but said that the generic message about an invoice in the initial malspam email “indicates that the spam campaigns are not targeted toward any particular individuals or enterprises.”
Emails in the campaign contained ISO files that were in the size range of 1MB to 2MB which is an unusual file size for image files; usually, their sizes are in the upwards of 100MB, researchers said. An ISO image is an archive file that contains all the information that would be written to an optical disc.
The image contains only one executable file embedded in it which is the actual malware payload. Once a victim clicks on the image, either the LokiBot or Nanocore trojan was then downloaded onto their system.
LokiBot and NanoCore
One such malware sample, the LokiBot trojan, is an information stealer that is known for its adoption of various attachment types. This particular campaign touts a slightly modified version of LokiBot: The malware for instance has a new “IsDebuggerPresent()” function present to determine if it is loaded inside a debugger (a computer program that is used to test and debug other programs); as well as a common anti-VM technique, that measures the computational time difference between two processes (CloseHandle() and GetProcessHeap()) to detect if it is running inside a VM (the time different would be larger in the case of a VM).
Once the trojan infects the system, it probes more than 25 different web browsers to steal various browsing information, checks for the presence of web or email servers on machines and locates credentials for 15 different email and file transfer clients. In addition, the malware checks for the presence of popular remote administrative tools like Secure Shell (SSH) or Remote Desktop Protocol (RDP).
The other malware type spread in the campaign was the NanoCore remote access trojan, a modular trojan that can be modified to include additional plugins, expanding its functionality and performance based on the user’s needs.
Once the trojan is deployed, it begins to capture an array of information on the victim machine, including: Capturing clipboard data and monitoring keystrokes, collecting data about document files on the system and connecting to an FTP server to upload stolen data from the system.
ISO Files
Researchers said that to date, they have uncovered 10 variants of the campaign using different ISO images and emails.
Disc image files (like ISO and IMG files) are being increasingly used by attackers to deliver malware since July 2018: Most notably, researchers have seen a growing number of smaller campaigns using this technique to deliver malware like the AgentTesla information stealer. In these campaigns, a malicious doc would execute a macro to download and execute the payload; while the ISO file would contains a malicious binary inside it.
“Targeting such uncommon file formats gives an advantage to the malware authors as ISO files are usually whitelisted from scanning in various email security solutions to improve efficiency,” NetSkope researchers said. “Also, major operating systems now have default software which automatically detects and mount the ISO image once the user clicks on it. This again makes it a preferred target for the scammers.”