Information Security News
NanoCore is a Remote Access Tool (RAT) thats currently available for a $25 license . However, like many other RATs, NanoCore has been used by criminal groups to take over Windows computers. Beta versions of NanoCore RAT have been available to criminals since 2013 , and a cracked full version was leaked last year in 2015 .
Since then, the NanoCore RAT has been used in targeted phishing campaigns that are subtle and harder to detect . Earlier this year, we saw it used in tax-themed emails as part of an increased distribution of the full-featured NanoCore RAT through phishing .
Since then, I havent noticed any public reporting on specific campaigns, even though Ive noticed NanoCore RAT-based phishing emails on a near-daily basis. These recent emails dont seem subtle, and the vast majority of them are blocked. I consider these recent examples malicious spam (malspam). They either have attached zip archives containing an executable file, or they have attached Microsoft Office documents with malicious macros designed to download and execute the NanoCore RAT. One such malspam with a zip attachment was recently sent to my malware-traffic-analysis.net email address. That one was easily caught by my spam filter.
Due to a relative lack of publicly-posted info on recent NanoCore RAT malspam campaigns, I thought Id examine the email I received for today" />
Shown above: The malspam.
The malspam was a fake purchase order, spoofed to seem that it came from Media6, a company that specialized in Point of Sale (POS) marketing.
Examining the email headers, we find the email came from a mail server at ps1.700tb.com on 22.214.171.124. The sending email address may or may not be spoofed." />
Shown above: Email headers for the malspam.
As far as malspam goes, the attachment isnt anything tricky. Its just an executable file in a zip archive. These types of emails can easily be blocked by most corporate email filtering. And why would you have an icon for the Chrome web browser for a file thats supposed to be a purchase order? That just doesnt make sense to me.
I checked the traffic against Snort 126.96.36.199 using the Snort subscription ruleset, and I also checked it on Security Onion running Suricata with the ET PRO ruleset. The Snort ruleset showed alerts for NanoBot activity (a botnet with hosts controlled by the NanoCore RAT)." />
Shown above:" />
Shown above: Alerts from the ET and ET PRO rulesets.
em>Final wordsp>The NanoCore RAT is a tool that has been used in targeted phishing attacks, but Ive noticed it in daily waves of what appear to be malspam. In fact, my publicly-known blog email address got hit with an example. That leads me to believe most of the threat from NanoCore RAT is through mass distribution.
With proper filtering, these emails are easily blocked. With proper network monitoring, traffic from an infection is easily detected. I figure these waves of NanoCore RAT-based malspam are geared towards home users and anyone else without sufficient security controls.
brad [at] malware-traffic-analysis.net
An alleged Russian hacker arrested in the Czech Republic following an FBI-coordinated tip-off is suspected of taking part in a 2012 breach of LinkedIn that resulted in the theft of more than 117 million user passwords, representatives of the professional networking site said Wednesday.
"Following the 2012 breach of LinkedIn member information, we have remained actively involved with the FBI's case to pursue those responsible," company officials said in a statement. "We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity."
Word of the arrest came on Tuesday evening in a brief statement issued by Czech Republic officials. It said an unnamed man was arrested in Prague on suspicion of committing unspecified hacks on targets located in the US. The raid was carried out in collaboration with the FBI. According to The New York Times, the suspect was captured on October 5, about 12 hours after authorities learned he was in the country. His arrest was kept a secret until Tuesday "for tactical reasons," the paper reported.
Researchers have devised a technique that bypasses a key security protection built into just about every operating system. If left unfixed, this could make malware attacks much more potent.
ASLR, short for "address space layout randomization," is a defense against a class of widely used attacks that surreptitiously install malware by exploiting vulnerabilities in an operating system or application. By randomizing the locations in computer memory where software loads specific chunks of code, ASLR often limits the damage of such exploits to a simple computer crash, rather than a catastrophic system compromise. Now, academic researchers have identified a flaw in Intel chips that allows them to effectively bypass this protection. The result are exploits that are much more effective than they would otherwise be.
Nael Abu-Ghazaleh, a computer scientist at the University of California at Riverside and one the researchers who developed the bypass, told Ars: