This phishing campaign uses an odd tactic to infect Windows PCs with two forms of trojan malware

New campaign attempting to deliver LokiBot and Nanocore spun up in April - and it tries to compromise victims with an unusual attachment.

Phishing campaign using unusual attachment to circumvent security

A prolific spam campaign is attempting to infect victims with one of two infamous trojan malware families – and those behind it appear to be attempting to compromise any enterprise target they can.

Can Google win its battle with Android malware?

Cybercriminals are sneaking malicious apps into Google's official app store. Can they be stopped?

Read More

Uncovered by researchers at Netskope, the campaign began in April this year and is based around generic phishing emails claiming to be about an invoice which ask the user to open an ISO disk image file to get more information.

It's this ISO file that delivers the malicious payload to the victim – one of either LokiBot or Nanocore. Both malware families provide attackers with backdoors onto infected Windows PCs and the ability to steal data, as well as enabling additional payloads to be installed. Nanocore is particularly dangerous as it captures clipboard data and keystrokes.

SEE: 10 tips for new cybersecurity pros (free PDF)

Researchers say they've identified 10 variants of the campaign, using different ISO images and emails.

By using the ISO disk image format, the attackers are looking to take advantage of what's quite an uncommon file format and therefore one that's often whitelisted by email security providers.

The images are mostly within the size range of 1MB to 2MB, but contained within them is an embedded executable file which unleashes the actual malware payload.

While many trojan malware campaigns are becoming increasingly well-targeted, with attackers deploying bespoke payloads attached to specially crafted phishing lures, this campaign shows that commercial malware attached to basic phishing emails still remain a threat to organisations.

That's especially the case for employees in departments who regularly need to open messages from unknown senders.

"Looking at the email body and unusual file attachment, it seems that the attackers were particularly interested in targeting corporate users specifically in the finance and billing departments. This attribution points to the fact that the attackers were definitely financially motivated," Abhinav Singh, cloud security researcher at Netskope, told ZDNet.

"Stay vigilant towards any email that might look suspicious and remember to be careful when dealing with attachments, especially those coming from untrusted sources," he added.