Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

LokiBot and NanoCore Malware Distributed in ISO Image Files

LokiBot info-stealing malware is again being distributed in a malspam campaign using attached ISO image file attachments. Similar was reported in August 2018, but it remains an unusual method of distribution. This new campaign is also separately distributing NanoCore.

LokiBot info-stealing malware is again being distributed in a malspam campaign using attached ISO image file attachments. Similar was reported in August 2018, but it remains an unusual method of distribution. This new campaign is also separately distributing NanoCore.

ISO image files are designed to contain the full content of an optical disk. As such, legitimate files tend to be of 100 Mb or more in size. This was one of the first clues to be detected by researchers at cloud security firm Netskope. “The observed ISO files were in the size range of 1MB to 2MB which is an unusual file size for image files,” they say in a report.

So far, Netskope has detected around ten variants in the current campaign, using different ISO images and emails. The content has almost always been either LokiBot or NanoCore.

The current campaign began in April 2019, with a generic message about an invoice. It does not seem to be targeted against either individuals or specific companies. However, if the email gets through to the user’s inbox, the advantage is with the attackers. This could be common since ISO files are often whitelisted in scanning engines. Furthermore, if the target does not recognize it as suspicious, and clicks on the attachment, many operating systems will automatically detect and mount the image.

LokiBot was similarly delivered in a format designed to fool unwary recipients towards the end 2018. At that time, it was delivered as a file using the old .com extension, presumably hoping that victims would not recognize the file as an executable. At that time, the most common lure was a purchase order theme, rather than the current invoice theme.

The latest delivered version of LokiBot is little changed from earlier versions. New procedures include using the IsDebuggerPresent() function to determine if it is loaded inside a debugger, and the common anti-VM technique of measuring the computational time difference between CloseHandle() and GetProcessHeap() to detect if it is running inside a VM.

Once running, LokiBot will probe for more than 25 different web browsers to steal browsing data, will locate the credentials for more than 15 different email and file transfer clients, and check for the presence of popular remote admin tools like SSH, VNC and RDP.

The alternative malware delivered in this campaign is the NanoCore RAT, developed by Taylor Huddlestone. Huddlestone was jailed for this in February 2018, but the RAT lives on. A cracked version is available for download from various internet forums. It uses AutoIT as a top-level wrapper for its main .NET compiled binary. Once decompiled, the AutoIT script, which is heavily obfuscated, constructs the .NET binary.

NanoCore has been available since 2013 and can be downloaded from the internet. It is a modular trojan that can be modified to include additional plugins, expanding its functionality and performance based on the user’s needs. In this campaign, it can collect clipboard data and keystrokes, information about stored documents, and uses FTP to exfiltrate the stolen data. 

The continuing use of old malware and the reuse of old distribution methods suggests that users are still not learning how to detect spam and phishing emails, nor employing adequate anti-malware tools to block them.

San Francisco, Calif-based Netskope was founded in 2012 by Sanjay Beri. The firm raised $168.7 million in a Series F funding round in November 2018, bringing the total raised to $400 million.

Related: Attack Combines Phishing, Steganography, PowerShell to Deliver Malware 

Related: Business Users Targeted by HawkEye Keylogger Malware 

Related: Ongoing Attacks Hit West African Financial Institutions Since Mid-2017 

Related: New LokiBot-Linked Android Trojan Emerges 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.