LokiBot and NanoCore RAT Lurking in ISO Files

Delaware, USA – June 26, 2019 – Spam campaigns spreading LokiBot and NanoСore RAT started in April, and by the end of June, researchers from Netskope discovered 10 samples of malicious attachments used in the campaigns. The ISO Image file format is unusual for this type of attack since attachments have large size (1-2 megabytes). This is offset by the fact that many security solutions whitelist image files to speed up scanning, as ISO files typically are more than 100 megabytes. Adversaries use generic text in the email body, which indicates non-targeted campaigns. To make the email look more legitimate, they use a signature with fake contact details of the sender. ISO file attachment is easily opened for viewing with modern operating systems; in their campaigns, attackers pack only one executable file into this format, which is the final payload.

LokiBot and NanoСore RAT are often used during Business Email Compromise attacks, but it is very difficult to link them to a specific threat actor. New versions of malware received additional anti-analysis capabilities. LokiBot is used to steal sensitive information from most browsers, email clients, and popular remote admin tools, and attackers use NanoCore to steal clipboard data and sensitive document files and exfiltrate them via FTP.

Threat Detection Marketplace content to detect the malware:

Nanocore Malware Detector (Sysmon Behavior Analysis) – https://tdm.socprime.com/tdm/info/2255/
NanoCore RAT (Sysmon) – https://tdm.socprime.com/tdm/info/1353/
Lokibot Malware Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2258/
LokiBot Trojan Detector (Sysmon) – https://tdm.socprime.com/tdm/info/1139/