Botnet Installing NiceRAT Malware

1. Overview

AhnLab Security intelligence Center (ASEC) confirmed that botnets trending since 2019 have been continuously used to install NiceRAT malware. A botnet is a group of devices infected by malware and controlled by a threat actor. Because threat actors mainly launched DDoS attacks using botnets in the past, Nitol and other malware strains used in DDoS attacks were perceived as the key strains that form botnets. Recently, however, malware strains such as NanoCore and Emotet that perform malicious behaviors such as leaking data and installing additional malware are also being used to build botnets.

2. How Botnets Run

As mentioned previously, botnet malware is distributed widely since it is a group of devices controlled by the attacker. For years, threat actors have been continuously using Korean file-sharing services or blogs to distribute malware disguised as Windows or Microsoft Office license verification tools and free servers for games [1].

Figure 1. Malware disguised and distributed as a game’s free server

Figure 1 shows a screen that appears upon running the malware that creates NanoCore, disguised as a game’s free server. When the malware is run, it creates NanoCore in the %SystemRoot%\rip\lineage1\exploekr.exe path. The executed NanoCore adds IAMP Service and SMTP Service to the Task Scheduler.

As mentioned above, a botnet can be formed using the malware disguised as a Windows license verification tool. ASEC confirmed NanoCore that is being distributed through personal blogs, and NanoCore was available for access and download until recently at the time this post was uploaded.

3. Installing Additional Malware Through Botnets

ASEC previously introduced a case in which the Amadey Bot malware was distributed through Nitol [2]. In the case mentioned above, Nitol was used to distribute Amadey Bot even after more than a year had passed since its initial distribution. NiceRAT, the malware that will be introduced in this post, is also installed by a botnet that has persisted for a long time.

Figure 2 shows the AhnLab Smart Defense (ADS) infrastructure log that displays the malware of a different hash that installs NiceRAT. The process that installs NiceRAT is NanoCore which mainly forms a botnet, communicating with similar C&C servers (see Table 1).

Figure 2. The logs of the botnet-type malware that installs NiceRAT
NameC&C Server
Table 1. The C&C servers of the botnet malware that installs NiceRAT

Normally, when downloading additional malware strains after a considerable time has passed since the distribution, malware strains are unable to perform downloader tasks because the C&C servers are blocked. However, botnet-type malware strains can periodically install additional malware types regardless of the time as proven by some cases. Figure 3 shows NanoCore that installs NiceRAT. Since 2019 and up to the present, NanoCore has been vigorously installing not just NiceRAT but also Nitol.

Figure 3. NanoCore installing NiceRAT
Figure 4. NanoCore installing Nitol

4. NiceRAT

NiceRAT is an open-source program written in Python.

Figure 5. NiceRAT’s GitHub address

NiceRAT proceeds with tasks such as anti-debugging detection, virtual machine detection, and startup program registration to maintain persistence. Additionally, it accesses hxxps://api.ipify[.]org to collect the IP information of the system and then uses it to collect location information.

Figure 6. Collecting system information

Afterward, NiceRAT collects system information, browser information, and cryptocurrency information and leaks collected information to the threat actor, using Discord as a C&C server to communicate.

  • C&C Server: hxxps://discord[.]com/api/webhooks/1241518194691280966/tDcIZkMJSrBlrb0PjY98f6vjRIpIa489tkwC5M9GdJFAzOG4-yLh99uzd7gvAG5ZYa3G
Figure 7. Cryptocurrency wallets targeted for stealing
Figure 8. The user information that is collected and saved
Figure 9. The code that uploads the collected files onto the threat actor’s server

5. Conclusion

The distribution of malware strains disguised as crack programs targeting Korean users eventually resulted in the construction of threat actors’ botnets. Due to the nature of crack programs, information sharing amongst ordinary users contributes to the malware’s distribution independently from the initial distributor. Because threat actors typically explain ways to remove anti-malware programs during the distribution phase, it is difficult to detect the distributed malware. Ultimately, this has led to a continuous increase in cases where threat actors conveniently install new malware strains through the botnets they formed a long time ago.

Users must take caution when launching crack programs downloaded via routes such as file-sharing services and blogs. Additionally, if their systems are already infected, they should install V3 and remediate the Task Scheduler where mainly botnet-type malware strains are added to stop the recurring malware infection.

AhnLab’s anti-malware product, V3, detects and blocks the malicious types of files introduced in the post using the aliases below.

[File Detection]
– Backdoor/Win.NiceRAT.C5626512(2024.05.27.02)
– Backdoor/Win32.Nitol.R156318 (2015.07.05.04)
– Backdoor/Win.NiceRAT.C5625917(2024.05.26.03)
– Trojan/Win.Nanobot.C5210720(2022.07.19.00)
– Backdoor/Win.AsyncRAT.C5625919(2024.05.26.03)
– Trojan/Win.Generic.R628608 (2023.12.22.01)
– Trojan/Win.Generic.C4748805(2021.11.02.01)
– Trojan/Win.NanoCore.C5627471(2024.05.29.00)
– Dropper/Win.NANOCORE.C3020440(2024.05.26.03)
– Trojan/Win32.Agent.C3452224(2019.08.31.01)
– Backdoor/Win.NanoCore.C5625916(2024.05.26.03)
– Backdoor/Win.NanoCore.C5625920(2024.05.26.03)
– Trojan/Win32.Rbot.R171937(2016.01.11.07)
– Malware/Win32.Generic.C2999777(2019.02.07.04)
– Backdoor/Win.NanoCore.C5625923 (2024.05.26.03)
– Malware/Gen.Generic.C2901177(2018.12.23.01)
– Trojan/Win32.Generic.C2812697(2018.11.07.01)
– Trojan/Win32.Generic.C2812698(2018.11.07.01)
– Backdoor/Win.Nitol.C5625921(2024.05.26.03)
– Trojan/Win32.Agent.C2116237(2017.09.03.09)
– Dropper/Win32.Agent.C2457947(2018.04.10.06)

– 5b72efdb6a374d4c35ab8ac88e519c9c (NiceRAT)
– 16014adaf287779265e33c698287046a (Nitol)
– 1c51a104abd02ad2b0b850ab37d44bde (NiceRAT)
– 4b44c4b3ab34a7946987fe7a601de5d6 (AsyncRAT)
– 8cf502f9a053a7f65dc83651c21ea9de (NanoCore)
– 00287b8dfdc58c4b413a29042e32d86b (AsyncRAT)
– 06e5bcc514f78794ba83779ea4c30841 (NanoCore)
– 99df897a57e5d7dc8ecd11b73ee24726 (Dropper)
– ba34c7a913b0fa18e434d6a96d612a2c (NanoCore)
– 6fcdf8ef4c409addf1ebf785440f32ee (NanoCore)
– 691f894f028994a2553b2438ea011c34 (NanoCore)
– fb5b169d0844dd9b6228599f313cf983 (Nitol)
– 76e232928e26a1929efe0302cce1cc88 (Nitol)
– cfb73473df35a1fd6c3cd70d09ec8be3 (Nitol)
– 0ff5ecbe655b0b5781700195d2e8475e (NanoCore)
– df9ef2b14a8d4e5ddf8ac1e03909e0a4 (Dropper)
– 2800ebfde7f0a94f00494fc72a3f8149 (NanoCore)
– 28f08aa165f19b2efb9254f223512dee (Dropper)
– c5e49e44495d09a523173e9656a496fc (Nitol)
– d94d7d20f2c88aaf8f84f6e771878fa7 (Nitol)
– 061ea0f42ce0a6840c692f6ee36578af (NanoCore)
– a62bfe438f822cf369e434528325ed74 (Dropper)
– d387a15e4e0586d112b36ea75fe4d772 (NanoCore)
– 7b4fe1a72a25163098827e9def8f497e (Nitol)
– 58678eb1df7e8bf574e67573a2beddaa (NanoCore)
– fc1333bdce23896e343f0fe6e9a30db8 (Dropper)
– 20e2e1c6900aacb6ba529d148545c283 (NanoCore)

– hxxps://discord[.]com/api/webhooks/1242723656166146119/stYCi_haHIy8MpHXGkrMX0f_bp4-yAEIlnWaINtua0M_sgvcXVRXo77MzCFOIPUe8xT7
– gandigod.ddns[.]net:8080
– hxxps://discord[.]com/api/webhooks/1241518194691280966/tDcIZkMJSrBlrb0PjY98f6vjRIpIa489tkwC5M9GdJFAzOG4-yLh99uzd7gvAG5ZYa3G
– gandigod.ddns[.]net:3255
– gandigod.ddns[.]net:54984
– gandigod.ddns[.]net:5407
– gandigod1.ddns[.]net:2000
– gandigod.codns[.]com:2000
– gandigod.codns[.]com:5407
– gandigod.codns[.]com:7481

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Botnet Installing NiceRAT Malware appeared first on ASEC BLOG.

Article Link: Botnet Installing NiceRAT Malware - ASEC BLOG