Malspam Campaign Delivers Nanocore and Loki Bot Malware in ISO Files

In April, several different malspam campaigns were intercepted which attempted to deliver Nanocore and Loki Bot malware concealed inside small ISO image files of between 1MB and 2MB.

Prior to executing ISO files, it used to be necessary to use a program to mount them. However, most modern computers can execute the files on request and will automatically mount the images and display the contents.

Security awareness training will no doubt have taught employees to be suspicious of Word, Excel, PDF, and executable files such as .js or .exe. Since ISO files are used less commonly, they are less likely to arouse suspicions and firewall or spam filter rules may not have been set to quarantine emails containing ISO files.

ISO files are usually too large to send via email. In this case, the small size is due to the ISO file containing just one file: The malware payload, which is installed when the ISO file is executed. In total, 10 different campaigns were detected using different lures, malware variants, and ISO files.

The threat actors behind these attacks are using spray and pray tactics to infect as many devices as possible. Most of the emails have business-related lures and attachments, such as confirmations of wire transfers for overdue invoices.

The malware variants being distributed in this campaign are both information stealers that are capable of scanning computers to find sensitive information. They can log keystrokes, capture clipboard data, and target browsers, email clients, and remote admin tools. Captured information and files of interest are then exfiltrated to the attackers C2 server.

These malware variants incorporate mechanisms to determine whether they are running in a virtual environment and a check is performed to see if a debugger is installed, in which case the malware exits.

The identity of the attackers is not known, although the attacks bear some similarity to past attacks by the Nigerian hacking group SilverTerrier, which favors LokiBot and frequently uses the nanocore RAT.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of