Risk actors have been noticed deploying a malware referred to as NiceRAT to co-opt contaminated gadgets right into a botnet.
The assaults, which goal South Korean customers, are designed to propagate the malware underneath the guise of cracked software program, corresponding to Microsoft Home windows, or instruments that purport to supply license verification for Microsoft Workplace.
“Due to the nature of crack programs, information sharing amongst ordinary users contributes to the malware’s distribution independently from the initial distributor,” the AhnLab Safety Intelligence Heart (ASEC) mentioned.
“Because threat actors typically explain ways to remove anti-malware programs during the distribution phase, it is difficult to detect the distributed malware.”
Alternate distribution vectors contain the usage of a botnet comprising zombie computer systems which can be infiltrated by a distant entry trojan (RAT) referred to as NanoCore RAT, mirroring prior exercise that leveraged the Nitol DDoS malware for propagating one other malware dubbed Amadey Bot.
NiceRAT is an actively developed open-source RAT and stealer malware written in Python that makes use of a Discord Webhook for command-and-control (C2), permitting the risk actors to siphon delicate info from the compromised host.
First launched on April 17, 2024, the present model of this system is 1.1.0. It is also out there as a premium model, in response to its developer, suggesting that it is marketed underneath the malware-as-a-service (MaaS) mannequin.
The event comes amid the return of a cryptocurrency mining botnet known as Bondnet, which has been detected utilizing the high-performance miner bots as C2 servers since 2023 by configuring a reverse proxy utilizing a modified model of a respectable device referred to as Quick Reverse Proxy (FRP).
