Introduction

NanoCore is a Remote Access Tool (RAT) thats currently available for a $25 license [1]. However, like many other RATs, NanoCore has been used by criminal groups to take over Windows computers. Beta versions of NanoCore RAT have been available to criminals since 2013 [2], and a cracked full version was leaked last year in 2015 [3].

Since then, the NanoCore RAT has been used in targeted phishing campaigns that are subtle and harder to detect [4]. Earlier this year, we saw it used in tax-themed emails as part of an increased distribution of the full-featured NanoCore RAT through phishing [5].

Since then, I havent noticed any public reporting on specific campaigns, even though Ive noticed NanoCore RAT-based phishing emails on a near-daily basis. These recent emails dont seem subtle, and the vast majority of them are blocked. I consider these recent examples malicious spam (malspam). They either have attached zip archives containing an executable file, or they have attached Microsoft Office documents with malicious macros designed to download and execute the NanoCore RAT. One such malspam with a zip attachment was recently sent to my malware-traffic-analysis.net email address. That one was easily caught by my spam filter.

Due to a relative lack of publicly-posted info on recent NanoCore RAT malspam campaigns, I thought Id examine the email I received for today" />
Shown above: The malspam.

The malspam was a fake purchase order, spoofed to seem that it came from Media6, a company that specialized in Point of Sale (POS) marketing.

  • Date/time: 2016-10-18 17:49 UTC
  • From: [email protected]
  • To: [email protected]
  • Subject: TKP-PO 332-2016131023
  • Attachment (zip archive): TKP-PO 332-2016131023.zip
  • Malware from the zip archive: TKP-PO 332-2016131023.exe

Examining the email headers, we find the email came from a mail server at ps1.700tb.com on 119.18.103.60. The sending email address may or may not be spoofed." />
Shown above: Email headers for the malspam.

The malware

As far as malspam goes, the attachment isnt anything tricky. Its just an executable file in a zip archive. These types of emails can easily be blocked by most corporate email filtering. And why would you have an icon for the Chrome web browser for a file thats supposed to be a purchase order? That just doesnt make sense to me.

 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Node.js CVE-2016-7099 Security Bypass Vulnerability
 
Node.js CVE-2016-5325 CRLF Injection Vulnerability
 

Enlarge (credit: Klaus with K)

An alleged Russian hacker arrested in the Czech Republic following an FBI-coordinated tip-off is suspected of taking part in a 2012 breach of LinkedIn that resulted in the theft of more than 117 million user passwords, representatives of the professional networking site said Wednesday.

"Following the 2012 breach of LinkedIn member information, we have remained actively involved with the FBI's case to pursue those responsible," company officials said in a statement. "We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity."

Word of the arrest came on Tuesday evening in a brief statement issued by Czech Republic officials. It said an unnamed man was arrested in Prague on suspicion of committing unspecified hacks on targets located in the US. The raid was carried out in collaboration with the FBI. According to The New York Times, the suspect was captured on October 5, about 12 hours after authorities learned he was in the country. His arrest was kept a secret until Tuesday "for tactical reasons," the paper reported.

Read 5 remaining paragraphs | Comments

 
Cisco IOS and IOS XE Software CVE-2015-6289 Denial of Service Vulnerability
 
Potrace CVE-2016-8686 Memory Corruption Vulnerability
 
Libav 'get_vlc2()' Function NULL Pointer Dereference Denial of Service Vulnerability
 
OpenSSL CVE-2016-2181 Denial of Service Vulnerability
 
Cisco Security Advisory: Cisco ASA Software Identity Firewall Feature Buffer Overflow Vulnerability
 
Evernote for Windows DLL Loading Remote Code Execution Vulnerability
 

Enlarge

Researchers have devised a technique that bypasses a key security protection built into just about every operating system. If left unfixed, this could make malware attacks much more potent.

ASLR, short for "address space layout randomization," is a defense against a class of widely used attacks that surreptitiously install malware by exploiting vulnerabilities in an operating system or application. By randomizing the locations in computer memory where software loads specific chunks of code, ASLR often limits the damage of such exploits to a simple computer crash, rather than a catastrophic system compromise. Now, academic researchers have identified a flaw in Intel chips that allows them to effectively bypass this protection. The result are exploits that are much more effective than they would otherwise be.

Nael Abu-Ghazaleh, a computer scientist at the University of California at Riverside and one the researchers who developed the bypass, told Ars:

Read 6 remaining paragraphs | Comments

 
Internet Storm Center Infocon Status