Samples of LokiBot and NanoCore trojans being distributed via ISO disk image files

• The campaigns involve threat actors sending a generic message about an invoice and an ISO disk file attachment to potential victims.
• They appear to follow the ‘spray and pray’ principle as these campaigns are not targeted towards any particular individuals or enterprise.

Multiple malspam campaigns that distribute LokiBot and NanoCore trojans have been detected recently. These campaigns are believed to have started in April 2019.

How does the campaign work?

In a detailed report, researchers from Netskope Threat Research Labs have revealed the campaigns involve threat actors sending a generic message about an invoice and an ISO disk file attachment to potential victims. They appear to follow the ‘spray and pray’ principle as these campaigns are not targeted towards any particular individuals or enterprise.

Researchers note that targeting with such uncommon file format such as ISO files is usually a trick to evade detection by email security solutions.

“Also, major operating systems now have default software which automatically detects and mount the ISO image once the user clicks on it. This again makes it a preferred target for the scammers,” the researchers added.

The ISO files used in these cyberespionage campaigns are in the size range of 1MB to 2MB.

What's in the spam email?

The generic spam email delivering the LokiBot and NanoCore trojans uses the wire payment message to trick users into opening the attachment - which is actually the ISO file. Security researchers have discovered 10 variants of this type of campaign, with variations in the ISO images and messages delivered to potential victims.

In order to look it more convincing, the attackers have added a signature that appears to be from a real company.

What’s new about LokiBot trojan?

The new variant of LokiBot trojan is similar to its previous version, with only slight modifications in the anti-reversing techniques.

“The sample analyzed, in this case, used the IsDebuggerPresent() function to determine if it is loaded inside a debugger. It also implemented a common anti-VM technique, measuring the computational time difference between CloseHandle() and GetProcessHeap() to detect if it is running inside a VM (the time difference will be large in case of a VM),” researchers added.

The latest variant of LokiBot is capable of:

• Stealing browsing information from over 25 different web browsers;
• Checking for the presence of web or email servers;
• Grabbing credentials from 15 different email and file transfer clients;
• searching for popular remote admin tools like SSH, VNC, and RDP.

What’s new about NanoCore trojan?

Trojan.GenericKD.40782328 is the latest variant of NanoCore trojan.

Once the malware is installed, it begins performing the following operations:

• Capturing clipboard and monitoring keystrokes;
• Collecting information about document files on the system;
• Connecting to FTP server to upload stolen data from the system.