Malware Bypasses Email Content Filters Using Compressed Executables

The NJCCIC has received reports of malicious software packing distributed via email campaigns attempting to bypass content filters. The email messages include .img attachments containing malicious compressed executables. If uncompressed and manually executed, the njRAT, NanoCore RAT, or KPOT Stealer malware will be installed, which can be used to collect system information, steal usernames, passwords, and other sensitive information, and capture screenshots of desktops or webcams. The subject line may contain “invoice # from [business name]” or “wire confirmation.” The file icon used by the malware may also be spoofed to look like a known document in order to further trick users into opening it. Cofense recently discovered a new variant of H-W0rm/Houdini Worm called WSH trojan, which has similarities to njRAT. The NJCCIC strongly encourages educating end users about this and similar threats and reminding them never to click on links or open attachments delivered with unexpected or unsolicited emails, including those from known senders. We recommend users verify emails from known senders via a separate means of communication. Additionally, organizations are advised to implement Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) to help detect and prevent email spoofing. We encourage users to report cyber incidents via the NJCCIC Cyber Incident Report Form.