NanoCore RAT Disguised as Notification of Foreign Currency Remittance Being Spread!
The ASEC analysis team recently discovered that the NanoCore remote access Trojan (RAT) disguised as notification of foreign currency remittance was distributed. Because the malware is usually spread through phishing mails, users need to take extra caution.
The mail impersonates a capital company and is distributed with the title “[** Capital] Notification for Foreign Currency Remittance” as shown below, tricking the user to check the attached file and run it. It is assumed that the sender took an image that is used normally in a particular capital company.
Figure 1. Phishing mail disguised as notification for foreign currency remittance
RAR type file with the R03 extension is found in the downloaded attachment file, and the executable shown below appears upon decompressing the file.
Figure 2. Executable that appears upon decompressing attachment file
When the malware is executed, it operates after a certain time has passed to bypass detection. It then self-copies into the path shown below and performs malicious behaviors after being injected.
– Path for self-copy: %temp%\[filename]
Also, it self-copies again in the following path and makes itself run automatically when Windows restarts by exploiting the registry related to autorun.
– Path for self-copy: %appdata%\Microsoft\Windows\Start Menu\Programs\Adnoe.exe
– Registering autorun: HKCU\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\Shell
Figure 3. Registering autorun
The injected code is the NanoCore RAT, which periodically accesses C2 and performs various malicious behaviors as shown below.
– keylogging, taking screenshots, controlling webcams, remote controlling, DDoS, stealing information of web browser and FTP accounts, and other behaviors that the attacker wants
Figure 4. NanoCore Manage program panel
As the NanoCore RAT is mainly distributed through spam mails, users should take extra caution against mails from unknown sources and refrain from running attached files in suspicious mails. Also, V3 should be updated to the latest version so that malware infection can be prevented.
AhnLab’s anti-malware product, V3, detects and blocks the malicious file using the aliases below.
[File Detection]
Trojan/Win.Generic.C4572136
Win-Trojan/Nanocore.Exp
