LokiBot info-stealing malware is again being distributed in a malspam campaign using attached ISO image file attachments. Similar was
reported in August 2018, but it remains an unusual method of distribution. This new campaign is also separately distributing NanoCore.
ISO image files are designed to contain the full content of an optical disk. As such, legitimate files tend to be of 100 Mb or more in size. This was one of the first clues to be detected by researchers at cloud security firm Netskope. "The observed ISO files were in the size range of 1MB to 2MB which is an unusual file size for image files," they say in a report.
So far, Netskope has
detected around ten variants in the current campaign, using different ISO images and emails. The content has almost always been either LokiBot or NanoCore.
The current campaign began in April 2019, with a generic message about an invoice. It does not seem to be targeted against either individuals or specific companies. However, if the email gets through to the user's inbox, the advantage is with the attackers. This could be common since ISO files are often whitelisted in scanning engines. Furthermore, if the target does not recognize it as suspicious, and clicks on the attachment, many operating systems will automatically detect and mount the image.
www.netskope.com
