Cybersecurity firm Trustwave has discovered a new phishing campaign that can send malware over emails. The malware is sent using a specially designed ZIP file that can bypass all the security gateways. The malware is known as NanoCore RAT.
According to the report, Targets receive a spam mail from an Export Operation Specialist of USCO Logistics and the mail claims that it was sent as per their customer’s request. The name of the attachment is “SHIPPING_MX00034900_PL_INV_pdf.zip” . A normal ZIP file is smaller than uncompressed files but this ZIP is larger than the uncompressed file. The ZIP structure contains “SHIPPING_MX00034900_PL_INV_pdf.exe“, which is a NanoCore RAT. This Remote Access Trojan has the capability that allows an attacker to completely take control of the receiver’s machine. The RAT attached in the file can be found for free on the Dark web.
Trustwave suspected the mail because the Reply-To and From email addresses were different. The attachment was mentioned twice in the message body so that it can catch the reader’s attention.
This file was attached with another file “order.jpg”. This image file was used as a decoy to hide the malware. According to the firm, the security gateways would check the image file and the malware content goes unnoticed. The attack will succeed only if a certain version of an archive tool is used to decompress it.