Back

Malware botnet installing NiceRAT

June 6, 2024, 8:04 a.m.

Tags

malware
botnet
2024-06-06
nitol
nanocore
nicerat

External References

https://asec.ahnlab.com/

https://otx.alienvault.com/

Description

This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. Once infected, the malware connects to command-and-control (C&C) servers and installs additional payloads like NiceRAT, which is a Python-based open-source remote access trojan that steals system information, browser data, and cryptocurrency wallets.

Date

Published Created Modified
June 6, 2024, 7:28 a.m. June 6, 2024, 7:28 a.m. June 6, 2024, 8:04 a.m.

Indicators

f97123d0450c2a436dff3d4e7c674c366833bcbf4f21ebd387dabba8737d1101

ebe2488e6a5a5e9512d3751ef6ba7e68c08ac072169cf9af0aed74db1f1ef1b0

d58355fed81b0412fb36dff5c210c70b32de67501962df3e350648835e0ae07c

b372d5cadca2b0b212e982615fd8df8a31322651a4057afd701dd075e85dd8e4

c78b22ec1a704a79847ec30404386253b2b2e48563bb7f55ccb8696cb88c60f0

ab5fc09447ea83e7c3f79e8817921eb2170fd2592b8d0f7d03d0934f5dad14e8

787b530fe09cea2be36f78478268eed7dfd62b68b538c62e90f1de1507c8277d

66744784b22d5d1698f9755cdcc226c644aec3a8cd9c551aa7aa5845ed19b614

55f047455519bc3cd96322361a66cd3667293f50811afe16c553382fa443465c

52991b00ba04504a2195d3a12521496170acbc1002176679bf59d3f2890e3d5d

4c25df3edce36c720c3e39d5e3f93ce4035ec7857be76fc4ac9e612168210367

39f06354924b3779b20223a8630a99317786906eb1216e88f2d5f58b3d38cc7f

http://gandigod1.ddns.net:2000

http://gandigod.ddns.net:8080

http://gandigod1.ddns.net:3255

http://gandigod.ddns.net:3255

http://gandigod.ddns.net:5407

http://gandigod.ddns.net:54984

http://gandigod.codns.com:2000

http://gandigod.codns.com:5407

http://gandigod.codns.com:7481

Attack Patterns

NiceRAT

NanoCore - S0336

Nitol

T1136.001

T1543.003

T1053.005

T1490

T1497.001

T1059.001

T1071.001

T1016

T1082

T1057

T1105

T1027