skip to Main Content

Cybercrime spreads malware using less-known archive types as initial dropper

Cybercrime Spreads Malware Using Less-known Archive Types As Initial Dropper

Yoroi-Cybaze ZLab: Cybercrime increase malware spreading using less-known archive types as initial dropper, in particular ISO image

Cybercrime is spreading malware using less-known archive types as initial dropper, in particular ISO image. It has been detected by Yoroi-Cybaze ZLab cyber security experts. The italian company’s monitoring operations discovered an interesting attack wave leveraging this technique, especially due to the particular impersonification the attacker was trying: he/they was mimicking an important Italian Manufacturing company. The phishing email has a well-designed body containing the enterprise logo and references about the impersonated company: its international reputation has been abused by attackers to lure the victim to open up the embedded attachment. Surely the presence of an ISO file as attachment is suspicious, but for an unaware user it could go unnoticed, also thanks to the new Windows versions which natively support the filetype.

The cyber security experts: The final payload is the XpertRAT Remote Administrator Tool (RAT), while the initial dropper a Delphi wrapper 

According to the cyber security researchers, the final payload is XpertRAT, a well-known Remote Administration Tool (RAT). The malware has a lot of capabilities, such as keylogging, remote desktop, command execution and other exfiltration abilities. However, they focused on the initial Delphi wrapper, which is full of advanced tricks to make the analysis harder. The packer surely derives from some kind of factory which allows the attacker to choose the capabilities he wants. Yoroi, in fact, intercepted many other infections based on the same Delphi structure, but with different features in terms of evasion and encryption, as evidence of the possibility of customize it. Extracting the content of the ISO image, the experts encountered an EXE file named “po-ima0948436.exe”. From the first retrieved information, in particular the “BobSoft Mini Delphi” signature, it seems to be packed with a well-known Delphi packer (already studied by other popular firms).

Back To Top