NanoCore RAT Scurries Past Email Defenses with .ZIPX Tactic

2021-03-11 18:58

That's according to researchers at Trustwave, who found that the campaign is effectively hiding a malicious executable by giving it a.ZIPX file extension, which is used to denote that a.ZIP archive format is compressed using the WinZip archiver.

In reality, the appended file is an Icon image file wrapped inside a.RAR package.

RAR is a proprietary archive file format that supports data compression, error recovery and file spanning.

"The attachments, which have a filename format 'NEW PURCHASE ORDER.pdf*.zipx,' are actually image binary files, with attached extra data, which happens to be.RAR.".

Enclosing the executable into a.RAR archive instead of a.ZIP file makes this more likely; it means that the file can be extracted by the popular archiving tool 7Zip, as well as WinRAR, Trustwave noted.

ZIPX files as Rar5 archives and can thus unpack its contents.

News URL

https://threatpost.com/nanocore-rat-email-defenses-zipx/164701/

#defense #email #nanocore #RAT