NanoCore RAT Scurries Past Email Defenses with .ZIPX Tactic

nanocore rat email

A spam campaign hides a malicious executable behind file archive extensions.

A spate of malicious emails with attachments delivering the NanoCore remote access trojan (RAT) is evading anti-malware and email scanners by abusing the .ZIPX file format.

That’s according to researchers at Trustwave, who found that the campaign is effectively hiding a malicious executable by giving it a .ZIPX file extension, which is used to denote that a .ZIP archive format is compressed using the WinZip archiver. In reality, the appended file is an Icon image file wrapped inside a .RAR package. .RAR is a proprietary archive file format that supports data compression, error recovery and file spanning.

“The emails, claiming to be from the purchase manager of certain organizations that the cybercriminals are spoofing, look like usual [malicious spam emails] except for their attachment,” according to a Trustwave blog, published on Thursday. “The attachments, which have a filename format ‘NEW PURCHASE ORDER.pdf*.zipx,’ are actually image (Icon) binary files, with attached extra data, which happens to be .RAR.”

The victim’s machine needs to have an unzip tool that can extract the executable file inside the attachment. Enclosing the executable into a .RAR archive instead of a .ZIP file makes this more likely; it means that the file can be extracted by the popular archiving tool 7Zip, as well as WinRAR, Trustwave noted. 7Zip recognizes the .ZIPX files as Rar5 archives and can thus unpack its contents.

WinZip however does not support unzipping of the file.

“The NanoCore malware could be installed onto the system, if the user decides to run and extract it,” the researchers explained. “It all works because various archive utilities try their darndest to find something to unzip within files. You might even argue they try too hard.”

The malware more specifically is NanoCore version When executed, it creates copies of itself at the AppData folder and injects its malicious code at RegSvcs.exe process, according to the analysis. From there, it sets about stealing data from the victim’s machine, including clipboard data, keystrokes, documents and files. NanoCore is also a modular trojan that can be modified to include additional plugins, expanding its functionality and performance based on the user’s needs.

Previous campaigns, including one in 2019 that delivered the Lokibot malware, have made use of the .ZIPX tactic, researchers said.

“The recently reported phishing campaign that spreads the NanoCore trojan is a variation on an old theme,” Saryu Nayyar, CEO at Gurucul, said via email. “It relies on a bit of social engineering, using a plausible hook, to coax a target into opening an infected file. In this case, the attackers are trying to use file formats and naming conventions to keep the target’s anti-malware software from detecting the trojan.  However, it still relies on the user falling for the ruse.”

Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:


Suggested articles