Summary: Threat actors are using the NiceRAT malware to infect devices and create a botnet, targeting South Korean users through cracked software and fake license verification tools for Microsoft products.
Threat Actor: NiceRAT | NiceRAT
Victim: South Korean users | South Korean users
Key Point :
- Threat actors are distributing the NiceRAT malware through cracked software and license verification tools for Microsoft products.
- The malware is difficult to detect as threat actors provide instructions on removing anti-malware programs during distribution.
- Alternate distribution methods involve using a botnet with a remote access trojan (RAT) known as NanoCore RAT.
- Prior activity involved the Nitol DDoS malware for propagating the Amadey Bot.
Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.
The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.
“Due to the nature of crack programs, information sharing amongst ordinary users contributes to the malware’s distribution independently from the initial distributor,” the AhnLab Security Intelligence Center (ASEC) said.
“Because threat actors typically explain ways to remove anti-malware programs during the distribution phase, it is difficult to detect the distributed malware.”
Alternate distribution vectors involve the use of a botnet comprising zombie computers that are infiltrated by a remote access trojan (RAT) known as NanoCore RAT, mirroring prior activity that leveraged the Nitol DDoS malware for propagating another malware dubbed Amadey Bot.
NiceRAT is an actively developed open-source RAT and stealer malware written in Python that uses a Discord Webhook for command-and-control (C2), allowing the threat actors to siphon sensitive information from the compromised host.
First released on April 17, 2024, the current version of the program is 1.1.0. It’s also available as a premium version, according to its developer, suggesting that it’s advertised under the malware-as-a-service (MaaS) model.
The development comes amid the return of a cryptocurrency mining botnet referred to as Bondnet, which has been detected using the high-performance miner bots as C2 servers since 2023 by configuring a reverse proxy using a modified version of a legitimate tool called Fast Reverse Proxy (FRP).
Source: https://thehackernews.com/2024/06/nicerat-malware-targets-south-korean.html
“An interesting youtube video that may be related to the article above”
Views: 0