• About
  • Advertise
  • Careers
  • Contact
Monday, March 20, 2023
No Result
View All Result
NEWSLETTER
Cyber360 News
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us
No Result
View All Result
Cyber360 News
No Result
View All Result
Home Security Malware

Both NanoCore and LokiBot are Info-stealing Trojans.

by Cyber360 News
November 11, 2019
in Malware
0
Both NanoCore and LokiBot are Info-stealing Trojans.
0
SHARES
2
VIEWS
Share on FacebookShare on Twitter

Both NanoCore and LokiBot are Info-stealing Trojans.

Security researchers at the San Francisco-based firm Netskope have discovered a new malware campaign distributing the info-stealer malware LokiBot and NanoCore via ISO image file attachments that appear to be an invoice.

It is noteworthy that LokiBot malware was discovered back in October 2017 and is equipped with capabilities like turning itself into ransomware if the victim tries to remove it from their system.

As for NanoCore, it is a data-stealing RAT discovered in April 2016 targeting Steam users and critical cyber infrastructure in the US and S.Korea. Another interesting fact about NanoCore is that its author 27-year-old Taylor Huddleston (“Aeonhack” on HackForums) was arrested in March 2017 and pleaded guilty in to developing NanoCore malware and admitted that he intended the product to be used maliciously.

See: Cellular networks worldwide hit by hackers in espionage attempt

There is a growing trend in using LokiBot as the delivery payload across a wide range of spam campaigns. The current version of Loki is similar to its previous versions, with only slight modifications in the anti-reversing techniques implemented in the bot, Netskope researchers said in their blog post.

A similar campaign was identified back in August 2018 but this campaign is different because it is making use of ISO disk image file attachments in malicious emails to hide two dynamic and equally notorious info-stealer trojans simultaneously.

According to Netskope researchers, the infected spam emails were firstly discovered in April 2019; these emails contained a generic message sent to random victims. The message provided details of an invoice and an ISO file attachment was also part of the email, which actually was infected with the abovementioned payload and RAT. 

New attack spreads LokiBot & NanoCore malware in ISO image files

Screenshot of the malicious email (Image credit: Netskope)

The campaign’s number and type of victims haven’t been disclosed by researchers as yet but it is suspected that the campaign isn’t targeted towards any particular community, user-base or enterprises but attackers are randomly sending out spammed emails to claim as many victims as possible. 

See: Hackers using pirated software to spread new cryptomining Mac malware

The file size in the emails ranges between 1-2MB, which is a rather unconventional size for ISO images as these normally come in much larger sizes such as 100MB or above. If the recipient of the email clicks on the attachment, other operating systems will detect and mount the image automatically since ISO files are usually whitelisted in the scanning software. 

For your information, an ISO image file contains the full contents of an optical disk, that it, it contains full information of the data that will be written to an optical disk. Netskope has identified ten different variants of this campaign and every variant makes use of ISO images infected with either NanoCore or LokiBot.

The version of LokiBot that’s part of this campaign is a bit different as it has many new procedures such as the IsDebuggerPresent() function that evaluates if it is loaded in a debugger, and the CloseHandle() and GetProcessHeap() to measure computational time lapse if running in a VM.

Furthermore, LokiBot, if running, can steal browsing data from 25 different web browsers, credentials from 15 different file transfer and email clients, and inspect the system for common remote admin tools like RDP, SSH, and VNC.

Conversely, the campaign uses a cracked version of Taylor Huddlestone’s NanoCore RAT that uses AutoIT script as the wrapper for its .NET compiled binary. After decompiling, the obfuscated AutoIT script creates the .NET binary. It collects keystrokes, clipboard data, and information about the files stored on the system and exfiltrates the data using FTP.

See: Google confirms presence of Triada backdoor in cheap Android phones

The campaign is a clear proof that threat actors are constantly trying to innovate their tactics. They have designed a malware campaign using new and old techniques, perhaps to stay “relevant,” researchers believe. 

“Choosing an image file as an attachment indicates that they are intending to defeat email filters and scanners who generally whitelist such file types,” stated Netskope researchers on Tuesday.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Cyber360 News

Cyber360 News

Next Post
These apps were designed to pass as BtcTurk, a Turkish cryptocurrency exchange.

These apps were designed to pass as BtcTurk, a Turkish cryptocurrency exchange.

Recent Posts

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

Twitch’s Entire Critical Data Leaked, Includes Streamer Earnings, Source Code

October 6, 2021
Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

Former U.S. Security Firm Helped The UAE Carry Out “Karma” iMessage Hack: MIT Tech Review

October 1, 2021
Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

Facing “This App Has Been Blocked For Your Protection” Issue? Here’s How You Can Fix It

October 1, 2021

Whats New in Kali Linux?

September 14, 2021

Kali Linux 2019.3 Release (CloudFlare, Kali-status, metapackages, Helper-Scripts & LXD)

September 14, 2021

Kali Linux 2021.3 Release (OpenSSL, Kali-Tools, Kali Live VM Support, Kali NetHunter Smartwatch)

September 14, 2021

Kali Linux 2018.4 Release

September 14, 2021

Kali Linux 1.0.5 and Software Defined Radio

September 14, 2021

Kali Tools Website Launched, 1.0.9 Release

September 14, 2021

Kali Linux Dojo at Black Hat Vegas 2016

September 14, 2021

Category

Site Links

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

About Us

We bring you the best Premium WordPress Themes that perfect for news, magazine, personal blog, etc. Check our landing page for details.

© 2019 Cyber360 News - Powered by WebSensePro

No Result
View All Result
  • Home
  • Security
  • Data Breach
  • Cyber Attacks
  • Cyber Security
  • Cyber Crime
  • Contact Us

© 2019 Cyber360 News - Powered by WebSensePro

Login to your account below

Forgotten Password?

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In