Researchers with SpiderLabs at Trustwave reveal a new image file exploit – a fake icon delivering the NanoCore trojan. Researchers said: “The recent malspams… (work to) effectively hide the malicious executable from anti-malware and email scanners by abusing the file format of the “.zipx” attachment, which in this case is an Icon file with added surprises. In a slight twist, enclosing the executable into a RAR archive instead of a ZIP file, the content of the .zipx attachment can be extracted by another popular archiving tool, 7Zip. If the end-user uses 7Zip or WinRAR, the NanoCore malware could be installed onto the system, if the user decides to run and extract it. It all works because various archive utilities try their darndest to find something to unzip within files.”
<p>There is nothing new about hackers hiding payloads inside of images. Steganography, the practiced of concealing a message within another message or a physical object – has been around for years. What has changed is the sophistication of the payloads inside the map. The executables now inside the images aren\’t just password loggers – they can also be APTs (Advanced Persistent Threat) executables that can morph in functionality, enumerate all systems in an enterprise and lateral move through an infrastructure. These APTs can be defended by not just educating users, but by mitigating the steps the hack executes on the Cyber Kill Chain. </p> <p> </p> <p>Steps in mitigation include conducting regular and triggered access reviews to detect privilege escalation.</p>
<p>The recently reported phishing campaign that spreads the NanoCore trojan is a variation on an old theme. It relies on a bit of social engineering, using a plausible hook, to coax a target into opening an infected file. In this case, the attackers are trying to use file formats and naming conventions to keep the target\’s anti-malware software from detecting the trojan. However, it still relies on the user falling for the ruse.</p> <p> </p> <p>This is another reminder that users are an organization\’s broadest attack surface, but that a well-educated user base can be one of their best defenses. Unfortunately, user education alone isn\’t enough. Organizations need to back that up with a full security stack, including security analytics, that can quickly detect and contain infections that make it inside.</p>