Severity

Medium

Analysis Summary

A ZIPX attachment with spam messages is detected distributing malicious file that ultimately led to a NanoCore infection. In earlier campaigns, same method has been used to deliver Lokibot. 

The emails, claiming to be from the Purchase Manager of certain organizations that the cybercriminals are spoofing, look like usual malspams except for their attachment. The attachments, which have a filename format “NEW PURCHASE ORDER.pdf*.zipx”, are actually image (Icon) binary files, with attached extra data, which happens to be RAR. If the attachment successfully evades any scanning email gateways, the next hurdle is the victim’s machine, which needs to have an unzip tool that can extract the executable file inside the attachment. The archive utility WinZip and WinRAR yield similar results when extracting the EXE file from the current .zipx files. WinZip does not support unzipping either of samples whereas WinRAR managed to extract the EXE file contained in both samples.

Impact

• Detection Evasion
• Unauthorized Remote Access

Indicators of Compromise

Filename

• NEW PURCHASE ORDER[.]pdf[.]zipx

MD5

• 45c835e4b86073bc3f9edaa27bc41a89
• 507200d400755bcc62ae9a757d01990f
• 922d4f5923154da460d11b5837764536
• d60ee54c1f4a554fe49a176dbd134a3b

SHA-256

• 4fd4456433090cb1cc076463b7cb20116243d4996a7284cfe539bfa4d25ae929
• 1dd3771ad86a68f08bf75e3e330f8548283dc1909d5e69ae694aeb4f5f9be3ed
• 9653d7bbee740884067ab7deb5a6bfa87a39efd126a1e906d88c06569afa9d69
• d2e897665e02d48a99beaa5a6ab7ff7a299e631564603b4306ca5fcbbd299602

SHA1

• df46a893b51d8ade0ccdef7e375fb387e2560720
• c93fba54357e90235202f58da1feff7ab1142f65
• fd958c365b6bfa5ef34779831773ec92c041a5d5
• e99f6b9bd787679666f8c54b9a834d6acecfa622

Remediation

• Block the threat indicators at their respective controls.
• Do not download files attached in untrusted emails.