Security News > 2021 > March > ZIPX files that aren't: Keep a weather eye out for disguised malware in email attachments

Zipx extension to obfuscate EXE payloads, crooks might be hoping to sneak the elderly NanoCore remote-access trojan through users' email and endpoint-scanning software.

Instead, said the email security firm, these malicious attachments "Are actually image binary files, with attached extra data, which happens to be RAR".

Within the RAR is a malicious EXE file containing the payload. Trustwave's Diana Lopera, senior security researcher, said in a statement: "The recent malspams have the same goal like the ones we investigated almost two years ago and that is to effectively hide the malicious executable from anti-malware and email scanners by abusing the file format of the '.zipx' attachment, which in this case is an Icon file with added surprises."

Only WinZip struggled with it - meaning admins of networks where RAR files and WinZip are in routine use might need to keep a closer eye on attachments being opened by their users.

"Analyzing the EXE files indicates that they are samples of NanoCore RAT version 1.2.2.0," wrote Lopera.

The malware itself harvests email addresses and passwords, and activates device webcams among other things.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/03/11/zipx_rar_email_malware_obfuscation/