Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

LokiBot and NanoCore Malware Distributed in ISO Image Files

LokiBot info-stealing malware is again being distributed in a malspam campaign using attached ISO image file attachments. Similar was reported in August 2018, but it remains an unusual method of distribution. This new campaign is also separately distributing NanoCore.

LokiBot info-stealing malware is again being distributed in a malspam campaign using attached ISO image file attachments. Similar was reported in August 2018, but it remains an unusual method of distribution. This new campaign is also separately distributing NanoCore.

ISO image files are designed to contain the full content of an optical disk. As such, legitimate files tend to be of 100 Mb or more in size. This was one of the first clues to be detected by researchers at cloud security firm Netskope. “The observed ISO files were in the size range of 1MB to 2MB which is an unusual file size for image files,” they say in a report.

So far, Netskope has detected around ten variants in the current campaign, using different ISO images and emails. The content has almost always been either LokiBot or NanoCore.

The current campaign began in April 2019, with a generic message about an invoice. It does not seem to be targeted against either individuals or specific companies. However, if the email gets through to the user’s inbox, the advantage is with the attackers. This could be common since ISO files are often whitelisted in scanning engines. Furthermore, if the target does not recognize it as suspicious, and clicks on the attachment, many operating systems will automatically detect and mount the image.

LokiBot was similarly delivered in a format designed to fool unwary recipients towards the end 2018. At that time, it was delivered as a file using the old .com extension, presumably hoping that victims would not recognize the file as an executable. At that time, the most common lure was a purchase order theme, rather than the current invoice theme.

The latest delivered version of LokiBot is little changed from earlier versions. New procedures include using the IsDebuggerPresent() function to determine if it is loaded inside a debugger, and the common anti-VM technique of measuring the computational time difference between CloseHandle() and GetProcessHeap() to detect if it is running inside a VM.

Once running, LokiBot will probe for more than 25 different web browsers to steal browsing data, will locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

The alternative malware delivered in this campaign is the NanoCore RAT, developed by Taylor Huddlestone. Huddlestone was jailed for this in February 2018, but the RAT lives on. A cracked version is available for download from various internet forums. It uses AutoIT as a top-level wrapper for its main .NET compiled binary. Once decompiled, the AutoIT script, which is heavily obfuscated, constructs the .NET binary.

Advertisement. Scroll to continue reading.

NanoCore has been available since 2013 and can be downloaded from the internet. It is a modular trojan that can be modified to include additional plugins, expanding its functionality and performance based on the user’s needs. In this campaign, it can collect clipboard data and keystrokes, information about stored documents, and uses FTP to exfiltrate the stolen data. 

The continuing use of old malware and the reuse of old distribution methods suggests that users are still not learning how to detect spam and phishing emails, nor employing adequate anti-malware tools to block them.

San Francisco, Calif-based Netskope was founded in 2012 by Sanjay Beri. The firm raised $168.7 million in a Series F funding round in November 2018, bringing the total raised to $400 million.

Related: Attack Combines Phishing, Steganography, PowerShell to Deliver Malware 

Related: Business Users Targeted by HawkEye Keylogger Malware 

Related: Ongoing Attacks Hit West African Financial Institutions Since Mid-2017 

Related: New LokiBot-Linked Android Trojan Emerges 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.