Nitol Malware Being Distributed in Forum Archive

The ASEC analysis team confirmed that malware is being distributed in a forum archive in Korea. The attacker uploaded 4 posts disguised as sharing utility programs that are used to distribute malware. These posts distribute Nitol malware disguised as certain utility programs. The related attacks have been happening since last June.

Each post has a description of a utility program with a torrent file attached. Upon opening the torrent file using the torrent client, files can be downloaded. When downloading the file uploaded by the attacker using the torrent file, the malware disguised as a utility program gets downloaded.

Figure 1. Post and the attachment file

The malware files downloaded from each post use utility program icons for disguising.

Figure 2-1. Torrent files attached to each post
Figure 2-2. Malware downloaded with torrent file

When the malware file is run, it performs self-replication in the %Appdata% folder and executes the registry autorun registration command.

C:\Windows\System32\reg.exe  ADD “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /V “My App” /t REG_SZ /F /D “C:\Users\vmuser\AppData\Roaming\[random].exe”
Table 1. Command for autorun registration

It then attempts to connect to C2 and awaits commands from the attacker. Nitol malware can perform malicious behaviors such as downloading and running additional files with the attacker’s command or perform DDoS attacks to a particular URL.

Figure 3. C2 access code

The ASEC analysis team has been identifying the attack since last June. The attacker periodically uploaded posts that distribute Nitol malware on the same archive. The distributed Nitol malware all uses the identical C2. The uploader primarily creates 4 to 5 consecutive posts at once. Considering the attacker may upload malware on the same archive later on, users need to take caution.

For the last 2 weeks, Nitol malware has been distributed in the same forum, other webhards, etc. with the file names shown below.

  • startisback++ 2.9.13 (2.9.1 for 1607) startisback+ 1.7.6 startisback 2.1.2
  • Hancom Office For Educational Institution 2020
  • lumion v4.02 [64bit] incl crack – [mumbai-tpb]
  • labyrinc
  • rival stars horse racing desktop edition repack
  • HWP 2020
  • microsoft toolkit 2.6 beta 4 official
  • adobe illustrator 2020
  • sw_dvd5_office_professional_plus_2016_w32_korean_mlf_x20-41358
  • kmsauto net 2015 v1.4.5 portable
  • 2020 Activation Tool
  • microsoft office 2016
  • [Genuine Korean Version] Office 2007
  • w10 digital activation v1.4.1.exe


[IOC]

C2: rlarnjsdud0502.kro[.]kr

7f0bd4234ba4799a6528eb47de6dde3a (Trojan/Win.Nitol.C4540307)
010db728be2d4ea9d315beec6377f35c (Trojan/Win.Nitol.C4540307)
6046e10c7361299301fb99013cc33ee1 (Trojan/Win.Nitol.C4540307)
0f216a47308f72427107e4a7f5f88c24 (Trojan/Win.Nitol.C4540307)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments