Malware botnet installing NiceRAT
June 6, 2024, 8:04 a.m.
Tags
External References
Description
This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. Once infected, the malware connects to command-and-control (C&C) servers and installs additional payloads like NiceRAT, which is a Python-based open-source remote access trojan that steals system information, browser data, and cryptocurrency wallets.
Date
Published: June 6, 2024, 7:28 a.m.
Created: June 6, 2024, 7:28 a.m.
Modified: June 6, 2024, 8:04 a.m.
Indicators
f97123d0450c2a436dff3d4e7c674c366833bcbf4f21ebd387dabba8737d1101
ebe2488e6a5a5e9512d3751ef6ba7e68c08ac072169cf9af0aed74db1f1ef1b0
d58355fed81b0412fb36dff5c210c70b32de67501962df3e350648835e0ae07c
b372d5cadca2b0b212e982615fd8df8a31322651a4057afd701dd075e85dd8e4
c78b22ec1a704a79847ec30404386253b2b2e48563bb7f55ccb8696cb88c60f0
ab5fc09447ea83e7c3f79e8817921eb2170fd2592b8d0f7d03d0934f5dad14e8
787b530fe09cea2be36f78478268eed7dfd62b68b538c62e90f1de1507c8277d
66744784b22d5d1698f9755cdcc226c644aec3a8cd9c551aa7aa5845ed19b614
55f047455519bc3cd96322361a66cd3667293f50811afe16c553382fa443465c
52991b00ba04504a2195d3a12521496170acbc1002176679bf59d3f2890e3d5d
4c25df3edce36c720c3e39d5e3f93ce4035ec7857be76fc4ac9e612168210367
39f06354924b3779b20223a8630a99317786906eb1216e88f2d5f58b3d38cc7f
http://gandigod1.ddns.net:2000
http://gandigod.ddns.net:8080
http://gandigod1.ddns.net:3255
http://gandigod.ddns.net:3255
http://gandigod.ddns.net:5407
http://gandigod.ddns.net:54984
http://gandigod.codns.com:2000
http://gandigod.codns.com:5407
http://gandigod.codns.com:7481
gandigod1.ddns.net
gandigod.codns.com
gandigod.ddns.net
Attack Patterns
NiceRAT
NanoCore - S0336
Nitol
T1136.001
T1543.003
T1053.005
T1490
T1497.001
T1059.001
T1071.001
T1016
T1082
T1057
T1105
T1027