Malspam Emails Blanket LokiBot, NanoCore Malware With ISO Files

[silversurfer]

An ongoing spam campaign has been spotted using ISO disk image file attachments to disguise various information-stealing trojans, including LokiBot and NanoCore.
 
Researchers said that they first spotted the malware-laced spam emails being distributed in April 2019. Spam sent to victims claim to be a generic message about an invoice for the victim and include an ISO file as an attachment. In reality, the attachment contains various payloads – including the LokiBot and NanoCore remote access trojan.
 
“Malspam campaign continues to mix and match various new and old techniques to stay relevant,” NetSkope researchers said in a Tuesday analysis. “Choosing an image file as an attachment indicates that they are intending to defeat email filters and scanners who generally whitelist such file types.”
 
Researchers did not give further details about the number and type of victims in the campaign, but said that the generic message about an invoice in the initial malspam email “indicates that the spam campaigns are not targeted toward any particular individuals or enterprises.”
 
Emails in the campaign contained ISO files that were in the size range of 1MB to 2MB which is an unusual file size for image files; usually, their sizes are in the upwards of 100MB, researchers said. An ISO image is an archive file that contains all the information that would be written to an optical disc. The image contains only one executable file embedded in it which is the actual malware payload. Once a victim clicks on the image, either the LokiBot or Nanocore trojan was then downloaded onto their system.

SOURCE: https://threatpost.com/malspam-emails-bl...es/145991/