ISO images used to spread LokiBot and Nanocore malware

News by Rene Millman

Victims receive an email about an invoice, with an ISO disk image file attachment.

A new malspam campaign has been detected that uses ISO images to spread malware.

According to security researchers at Netskope, the campaign has been tracked since April this year. Victims receive an email about an invoice, with an ISO disk image file attachment.

In a blog post, researchers said that the generic message indicates that the spam campaigns do not target any particular individual or enterprise.

The campaign was flagged because the emails contained an unusual filetype, the ISO disk image format. These samples contained malwares LokiBot and NanoCore, which triggered alerts, researchers said.

Researchers said that using uncommon file formats gives an advantage to the malware authors as ISO files are usually whitelisted from scanning in various email security solutions to improve efficiency. Major operating systems now have default software, which automatically detects and mount the ISO image once the user clicks on it. This makes it a preferred target for the scammers, said the researchers.

The flagged ISO files were in the size range of 1MB to 2MB. The researchers found this curious, as the usual image sizes are more than 100MB. The image contains only one executable file embedded in it, which is the actual malware payload. 

When a victim clicks on the ISO image, it then downloads LokiBot or NanoCore onto the affected system. LokiBot is an information stealer, and this particular strain has slight modifications. Here, the analysed sample used the IsDebuggerPresent() function to determine if it is loaded inside a debugger. It also implemented a common anti-VM technique, measuring the computational time difference between CloseHandle() and GetProcessHeap() to detect if it is running inside a VM.

The other malware, NanoCore, is a remote access trojan. When run, it tries to detect the presence of a debugger, creates mutex and performing process injection, and creates persistence through registry modifications. 

It also captures clipboard data and monitoring keystrokes, collects data about document files on the system and connects to an FTP server to upload stolen data from the system.

Around ten variants of the campaign have so far been detected. Researchers said that malspam campaigns continue to mix and match various new and old techniques to stay relevant. 

"Choosing an image file as an attachment indicates that they are intending to defeat email filters and scanners, which generally whitelist such file types. Use of commercially available malware payloads shows that the use of such tools has not slowed down despite crackdowns by law enforcement on individuals responsible for creating them," said the researchers.

Adam Brown, manager of security solutions at Synopsys, told SC Media UK that victims can use the ISO file like a DVD drive, where the user opens it to see the files within. 

"The attackers place their malware in the ISO file so the victim still has to run the executable (malware) file. This goes against any advice offered by phishing training," he said.

The original version of the article was published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop