Security Experts:

LokiBot and NanoCore Malware Distributed in ISO Image Files

LokiBot info-stealing malware is again being distributed in a malspam campaign using attached ISO image file attachments. Similar was reported in August 2018, but it remains an unusual method of distribution. This new campaign is also separately distributing NanoCore.

ISO image files are designed to contain the full content of an optical disk. As such, legitimate files tend to be of 100 Mb or more in size. This was one of the first clues to be detected by researchers at cloud security firm Netskope. "The observed ISO files were in the size range of 1MB to 2MB which is an unusual file size for image files," they say in a report.

So far, Netskope has detected around ten variants in the current campaign, using different ISO images and emails. The content has almost always been either LokiBot or NanoCore.

The current campaign began in April 2019, with a generic message about an invoice. It does not seem to be targeted against either individuals or specific companies. However, if the email gets through to the user's inbox, the advantage is with the attackers. This could be common since ISO files are often whitelisted in scanning engines. Furthermore, if the target does not recognize it as suspicious, and clicks on the attachment, many operating systems will automatically detect and mount the image.

LokiBot was similarly delivered in a format designed to fool unwary recipients towards the end 2018. At that time, it was delivered as a file using the old .com extension, presumably hoping that victims would not recognize the file as an executable. At that time, the most common lure was a purchase order theme, rather than the current invoice theme.

The latest delivered version of LokiBot is little changed from earlier versions. New procedures include using the IsDebuggerPresent() function to determine if it is loaded inside a debugger, and the common anti-VM technique of measuring the computational time difference between CloseHandle() and GetProcessHeap() to detect if it is running inside a VM.

Once running, LokiBot will probe for more than 25 different web browsers to steal browsing data, will locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

The alternative malware delivered in this campaign is the NanoCore RAT, developed by Taylor Huddlestone. Huddlestone was jailed for this in February 2018, but the RAT lives on. A cracked version is available for download from various internet forums. It uses AutoIT as a top-level wrapper for its main .NET compiled binary. Once decompiled, the AutoIT script, which is heavily obfuscated, constructs the .NET binary.

NanoCore has been available since 2013 and can be downloaded from the internet. It is a modular trojan that can be modified to include additional plugins, expanding its functionality and performance based on the user's needs. In this campaign, it can collect clipboard data and keystrokes, information about stored documents, and uses FTP to exfiltrate the stolen data. 

The continuing use of old malware and the reuse of old distribution methods suggests that users are still not learning how to detect spam and phishing emails, nor employing adequate anti-malware tools to block them.

San Francisco, Calif-based Netskope was founded in 2012 by Sanjay Beri. The firm raised $168.7 million in a Series F funding round in November 2018, bringing the total raised to $400 million.

Related: Attack Combines Phishing, Steganography, PowerShell to Deliver Malware 

Related: Business Users Targeted by HawkEye Keylogger Malware 

Related: Ongoing Attacks Hit West African Financial Institutions Since Mid-2017 

Related: New LokiBot-Linked Android Trojan Emerges 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.