NanoCore RAT Disguised as Notification of Foreign Currency Remittance Being Spread!

The ASEC analysis team recently discovered that the NanoCore remote access Trojan (RAT) disguised as notification of foreign currency remittance was distributed. Because the malware is usually spread through phishing mails, users need to take extra caution.

The mail impersonates a capital company and is distributed with the title “[** Capital] Notification for Foreign Currency Remittance” as shown below, tricking the user to check the attached file and run it. It is assumed that the sender took an image that is used normally in a particular capital company.

Figure 1. Phishing mail disguised as notification for foreign currency remittance

RAR type file with the R03 extension is found in the downloaded attachment file, and the executable shown below appears upon decompressing the file.

Figure 2. Executable that appears upon decompressing attachment file

When the malware is executed, it operates after a certain time has passed to bypass detection. It then self-copies into the path shown below and performs malicious behaviors after being injected.
– Path for self-copy: %temp%\[filename]

Also, it self-copies again in the following path and makes itself run automatically when Windows restarts by exploiting the registry related to autorun.
– Path for self-copy: %appdata%\Microsoft\Windows\Start Menu\Programs\Adnoe.exe
– Registering autorun: HKCU\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\Shell

Figure 3. Registering autorun

The injected code is the NanoCore RAT, which periodically accesses C2 and performs various malicious behaviors as shown below.
– keylogging, taking screenshots, controlling webcams, remote controlling, DDoS, stealing information of web browser and FTP accounts, and other behaviors that the attacker wants

Figure 4. NanoCore Manage program panel

As the NanoCore RAT is mainly distributed through spam mails, users should take extra caution against mails from unknown sources and refrain from running attached files in suspicious mails. Also, V3 should be updated to the latest version so that malware infection can be prevented.


AhnLab’s anti-malware product, V3, detects and blocks the malicious file using the aliases below.

[File Detection]
Trojan/Win.Generic.C4572136
Win-Trojan/Nanocore.Exp

[IOC]
2c576a87b820ab1568614056efba4928
f38cfce7edf1cc498eba37f135f324c6
pure3[.]ddns[.]net

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments