Cybercriminals are always looking for new avenues to distribute malware without being detected by antivirus scanners and secure email gateways. This is illustrated in a new phishing campaign that utilizes a specially crafted ZIP file that is designed to bypass secure email gateways to distribute the NanoCore RAT. All ZIP archives contain a special structure that contains the compressed data and information about the compressed files. The new spam campaign, discovered by researchers from Trustwave, pretends to be shipping information from an Export Operation Specialist of USCO Logistics. When examining the file, the Trustwave researchers discovered that the ZIP archive contained two distinct archive structures, each marked by their own End of Central Directory (EOCD) record. A ZIP archive should have only one EOCD record, so this indicated that the ZIP file was specially crafted to contain two archive structures. In a statement from Trustwave, “This sample challenges gateways scanners. Depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the malicious content unnoticed – just like how some of the most popular archiving tools failed to notice the second ZIP structure.”
Analyst Notes
Before any file is downloaded from an email, several actions should be taken. First is to verify the sender of the email, if the recipient does not recognize the sender’s address, then the email should be treated as suspicious and left alone until verification. Second, even though these files are designed to bypass standard anti-virus systems, the file should be run through an anti-virus/anti-malware system before it is downloaded. Lastly, for organizations, it is recommended to employ a 24-hour endpoint detection monitoring service such as the Binary Defense Security Operation Center. Endpoint monitoring solutions are in the perfect position to detect ransomware or attacker behaviors early in an intrusion and isolate the infected computer from the rest of the network to prevent the spread of damage.
