NanoCore RAT Scurries Past Email Defenses with .ZIPX Tactic


Level 74
Content Creator
Malware Hunter
Aug 17, 2014
A spate of malicious emails with attachments delivering the NanoCore remote access trojan (RAT) is evading anti-malware and email scanners by abusing the .ZIPX file format.

That’s according to researchers at Trustwave, who found that the campaign is effectively hiding a malicious executable by giving it a .ZIPX file extension, which is used to denote that a .ZIP archive format is compressed using the WinZip archiver. In reality, the appended file is an Icon image file wrapped inside a .RAR package. .RAR is a proprietary archive file format that supports data compression, error recovery and file spanning.

“The emails, claiming to be from the purchase manager of certain organizations that the cybercriminals are spoofing, look like usual [malicious spam emails] except for their attachment,” according to a Trustwave blog, published on Thursday. “The attachments, which have a filename format ‘NEW PURCHASE ORDER.pdf*.zipx,’ are actually image (Icon) binary files, with attached extra data, which happens to be .RAR.”

The victim’s machine needs to have an unzip tool that can extract the executable file inside the attachment. Enclosing the executable into a .RAR archive instead of a .ZIP file makes this more likely; it means that the file can be extracted by the popular archiving tool 7Zip, as well as WinRAR, Trustwave noted. 7Zip recognizes the .ZIPX files as Rar5 archives and can thus unpack its contents. [...]