Trustwave: Cybercrime use double loaded zip files to deliver Nanocore in spam campaign. The attachment hides a second file, executable
Double loaded zip file delivers Nanocore malware in spam campaign. It has been discovered by Trustwave cyber security experts. The message claimed to be from an Export Operation Specialist of USCO Logistics and that it was sent as per their customer request. Aside from this, there were several other suspicious items noted: Headers mismatched, Suspicious message body and Suspicious attachment name: it was “SHIPPING_MX00034900_PL_INV_pdf.zip” and ends with “pdf.zip”. But the ZIP file had a file size significantly greater than that of its uncompressed content. Furthermore, looking deeper into the structure of the attachment, it has two EOCDs. After the first one comes some extra data – another ZIP file structure. It turns out that the first ZIP structure is for the image file “order.jpg”, while the second one is for an executable file “SHIPPING_MX00034900_PL_INV_pdf.exe“.
The cyber security experts: The attacker is trying to evade scanning gateways with this dual archive trick, to spread malware
According to the cyber security experts, the attacker is trying to evade scanning gateways with this dual archive trick. In fact, depending on the type of decompression engine used, there is a good probability that only the decoy file may be scrutinized and vetted, and the Nanocore malware unnoticed – just like how some of the most popular archiving tools failed to notice the second ZIP structure. Despite what the gateway does, this cybercrime attack would only succeed if the message got through the gateway and a particular archive utility is used by the end-user, such as certain versions of PowerArchiver, WinRar, and older 7Zip. Nevertheless, this case does highlight the types of tricks the cyber criminals are using in an attempt to deliver malware through email.