Skip to main content

New attack spreads LokiBot & NanoCore malware in ISO image files

Both NanoCore and LokiBot are Info-stealing Trojans.

Security researchers at the San Francisco-based firm Netskope have discovered a new malware campaign distributing the info-stealer malware LokiBot and NanoCore via ISO image file attachments that appear to be an invoice.

It is noteworthy that LokiBot malware was discovered back in October 2017 and is equipped with capabilities like turning itself into ransomware if the victim tries to remove it from their system.

As for NanoCore, it is a data-stealing RAT discovered in April 2016 targeting Steam users and critical cyber infrastructure in the US and S.Korea. Another interesting fact about NanoCore is that its author 27-year-old Taylor Huddleston (“Aeonhack” on HackForums) was arrested in March 2017 and pleaded guilty in to developing NanoCore malware and admitted that he intended the product to be used maliciously.
There is a growing trend in using LokiBot as the delivery payload across a wide range of spam campaigns. The current version of Loki is similar to its previous versions, with only slight modifications in the anti-reversing techniques implemented in the bot, Netskope researchers said in their blog post.
A similar campaign was identified back in August 2018 but this campaign is different because it is making use of ISO disk image file attachments in malicious emails to hide two dynamic and equally notorious info-stealer trojans simultaneously.
According to Netskope researchers, the infected spam emails were firstly discovered in April 2019; these emails contained a generic message sent to random victims. The message provided details of an invoice and an ISO file attachment was also part of the email, which actually was infected with the abovementioned payload and RAT. 
New attack spreads LokiBot & NanoCore malware in ISO image files
Screenshot of the malicious email (Image credit: Netskope)
The campaign’s number and type of victims haven’t been disclosed by researchers as yet but it is suspected that the campaign isn’t targeted towards any particular community, user-base or enterprises but attackers are randomly sending out spammed emails to claim as many victims as possible. 
The file size in the emails ranges between 1-2MB, which is a rather unconventional size for ISO images as these normally come in much larger sizes such as 100MB or above. If the recipient of the email clicks on the attachment, other operating systems will detect and mount the image automatically since ISO files are usually whitelisted in the scanning software. 
For your information, an ISO image file contains the full contents of an optical disk, that it, it contains full information of the data that will be written to an optical disk. Netskope has identified ten different variants of this campaign and every variant makes use of ISO images infected with either NanoCore or LokiBot.
The version of LokiBot that’s part of this campaign is a bit different as it has many new procedures such as the IsDebuggerPresent() function that evaluates if it is loaded in a debugger, and the CloseHandle() and GetProcessHeap() to measure computational time lapse if running in a VM.
Furthermore, LokiBot, if running, can steal browsing data from 25 different web browsers, credentials from 15 different file transfer and email clients, and inspect the system for common remote admin tools like RDP, SSH, and VNC.
Conversely, the campaign uses a cracked version of Taylor Huddlestone’s NanoCore RAT that uses AutoIT script as the wrapper for its .NET compiled binary. After decompiling, the obfuscated AutoIT script creates the .NET binary. It collects keystrokes, clipboard data, and information about the files stored on the system and exfiltrates the data using FTP.
The campaign is a clear proof that threat actors are constantly trying to innovate their tactics. They have designed a malware campaign using new and old techniques, perhaps to stay “relevant,” researchers believe. 
“Choosing an image file as an attachment indicates that they are intending to defeat email filters and scanners who generally whitelist such file types,” stated Netskope researchers on Tuesday.
Labels:

Comments

Post a Comment

Popular posts from this blog

List Of Sql Infected Sites-HACKEREAD

SQL injection  is a  code injection  technique, used to  attack  data-driven applications, in which malicious  SQL  statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).  SQL injection must exploit a  security vulnerability  in an application's software, for example, when user input is either incorrectly filtered for  string literal   escape characters  embedded in SQL statements or user input is not  strongly typed  and unexpectedly executed. SQL injection is mostly known as an attack  vector  for websites but can be used to attack any type of SQL database. List of SQL Infected sites:  http://www.genhound.co.uk/source.php?id=477 http://www.lcoastpress.com/journal.php?id=8 http://www.travellers-tales.co.uk/travelJournal.php?id=42 http://www.arrowvalves.co.uk/content.php?id=8 http://www.reaplasrack.co.uk/content.php?id=129 http://www.arrowval...
Post a Comment
Read more

Google dork list for XSS (Cross- site scripting)-2020

GOOGLE DORK LIST FOR Cross-site scripting -2020 Google Dorks  its also known as google query ,List “Google Hacking” is mainly referred to pull the sensitive information from Google using advanced search terms that help users to search the index of a specific website, specific file type and some interesting information from unsecured Websites. Google Dorks list  2020 can uncover some incredible information such as email addresses and lists, login credentials, sensitive files, website vulnerabilities, and even financial information (e.g. payment card data). Here you can see an example to understand how  Google Darks   password  used by hackers to gain sensitive information from specific websites. You can also use for Exploit DB site to give you according to you Search state. https://www.exploit-db.com/ “ inurl: domain/ ” “ additional dorks A hacker would simply use in the desired parameters as follows: inurl = the URL of a site you want...
Post a Comment
Read more

Popular Android Zombie game phish users to steal Gmail credentials

The app made its way to Google Play Store was also found phishing users for Facebook credentials. Scary Granny ZOMBY Mod: The Horror Game 2019 is the latest game on Google Play Store that is condemned by the digital security fraternity for sneakily stealing personal data from unsuspecting users. The game, which has been downloaded for over 50,000 times, was available for Android devices making Android users its primary target. The malicious app attempts to collect sensitive information such as Facebook and Gmail login credentials. The malicious activities of Scary Granny ZOMBY Mod were detected by the mobile security firm Wandera. The company found out that the app asks users to enter their Gmail or other Google account credentials, which are then used for collecting private data of the user by hijacking the account –  All of this happens, unsurprisingly, without alerting the user. Gmail phishing page on the supposed gaming app (Screenshot: Wandera) Rese...
Post a Comment
Read more