Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


ISO Disk Image Files Being Used to Distribute Tweaked Variants of LokiBot and NanoCore Trojans

Many malspam campaigns have been seen since April passing off the LokiBot and NanoCore trojans. There are no targeted industries in these campaigns, but it simply seems as if threat actors are sending basic invoice emails with attached ISO disk image files to whomever they choose. The use of ISO files is a method used as a bypass of email security features since a lot of software will now automatically recognize and mount the image as soon as the email is clicked on. So far, around 10 variants of the campaign have been seen floating around and each seems to have slightly different forms of ISO images and messages. To add to the validity, signatures that appear to be from a real company have been added to the email. The most recent version of the LokiBot trojan is able to steal browsing information from over 25 different web browsers, check for the presence of web or email servers, grab credentials from 15 different email and file transfer clients, and search for popular remote admin tools like SSH, VNC, and RDP. As for the NanoCore trojan, it captures clipboard and monitoring keystrokes, collects information about document files on the system, and connects to FTP server to upload stolen data from the system.

Analyst Notes

Users should heavily avoid emails that are coming from an unexpected or untrusted source, no matter how urgent or important they seem. If an email of this nature does happen to appear in a user’s inbox, it should be reported to the security team or someone that may be able to better identify its authenticity.