Lucene search

K
thnThe Hacker NewsTHN:387E140C5845C49D123EBAC61F2E98C7
HistoryJun 17, 2024 - 5:11 a.m.

NiceRAT Malware Targets South Korean Users via Cracked Software

2024-06-1705:11:00
The Hacker News
thehackernews.com
28
nicerat
south korean users
cracked software
microsoft windows
license verification
ahnlab security intelligence center
nanocore rat
remote access trojan
amadey bot
open-source rat
stealer malware
discord webhook
command-and-control
malware-as-a-service model
cryptocurrency mining botnet
bondnet
fast reverse proxy

6.9 Medium

AI Score

Confidence

Low

NiceRAT Malware

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.

The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.

“Due to the nature of crack programs, information sharing amongst ordinary users contributes to the malware’s distribution independently from the initial distributor,” the AhnLab Security Intelligence Center (ASEC) said.

“Because threat actors typically explain ways to remove anti-malware programs during the distribution phase, it is difficult to detect the distributed malware.”

Alternate distribution vectors involve the use of a botnet comprising zombie computers that are infiltrated by a remote access trojan (RAT) known as NanoCore RAT, mirroring prior activity that leveraged the Nitol DDoS malware for propagating another malware dubbed Amadey Bot.

Cybersecurity

NiceRAT is an actively developed open-source RAT and stealer malware written in Python that uses a Discord Webhook for command-and-control (C2), allowing the threat actors to siphon sensitive information from the compromised host.

First released on April 17, 2024, the current version of the program is 1.1.0. It’s also available as a premium version, according to its developer, suggesting that it’s advertised under the malware-as-a-service (MaaS) model.

The development comes amid the return of a cryptocurrency mining botnet referred to as Bondnet, which has been detected using the high-performance miner bots as C2 servers since 2023 by configuring a reverse proxy using a modified version of a legitimate tool called Fast Reverse Proxy (FRP).

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

6.9 Medium

AI Score

Confidence

Low