INSUBCONTINENT EXCLUSIVE:
Security researchers at Trustwave have discovered a new phishing campaign that utilized a specially crafted ZIP file, designed to bypass
secure email gateways, to distribute the NanoCore RAT.Users are targeted through a spam email pretending to be shipping information from an
Export Operation Specialist of USCO Logistics
Attached to the email is a ZIP archive that has a file size which is greater than its uncompressed content.In a new report, Trustwave
explained why the size of the ZIP raised suspicions among its researchers, saying:"The attachment “SHIPPING_MX00034900_PL_INV_pdf.zip“
makes this message stand out
The ZIP file had a file size significantly greater than that of its uncompressed content
Typically, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the
original files by a reasonable number of bytes."In addition to a special structure that contains the compressed data and information about
the compressed files, each ZIP archive also contains a single End of Central Directory (EOCD) record that is used to indicate the end of the
archive structure.However, when Trustwave researchers examined the ZIP file attached to the spam email, they found that the ZIP archive
contained two distinct archive structures that both had their own EOCD record
A ZIP archive should have only one EOCD record and this shows that the ZIP file created by the attackers was altered to contain two archive
structures.The first ZIP structure acts as a decoy and contains a harmless image file called order.jpg
The second ZIP structure on the other hand contained an executable file which contained the NanoCore Remote Access Trojan (RAT)
Trustwave then determined that the attackers created this specially crafted ZIP archive in an effort to bypass secure email gateways.When
attempting to open the archive using several file extraction programs, the researchers discovered that the archive was treated differently
on a program by program basis
While Windows built-in ZIP extractor said the file was invalid and wouldn't extract it, Trustwave discovered that certain versions of
PowerArchiver, WinRar and 7-Zip were able to properly extract the NanoCore executable.The technique used by the attackers could allow them
to deliver malicious payloads that are able to bypass email scanners, but due to the way file extraction programs work, less users would be
infected than they initially intended.Protect your devices from the latest cyber threats with the best antivirus softwareVia Bleeping
