November 20, 2023
Severity Medium Analysis Summary Agent Tesla is a very popular spyware Trojan built for the.NET framework. Since its initial appearance in 2014, this has been deployed […]
Rewterz Threat Alert – Malspam Drops GandCrab Ransomware
April 16, 2019Rewterz Threat Alert – A Cross Platform, Rootkit-Enabled Spyware Operation Targeting Victims Worldwide
April 16, 2019Rewterz Threat Alert – Malspam Drops GandCrab Ransomware
April 16, 2019Rewterz Threat Alert – A Cross Platform, Rootkit-Enabled Spyware Operation Targeting Victims Worldwide
April 16, 2019
Severity
Medium
Analysis Summary
A Malspam campaign has been discovered distributing the Nanocore RAT Malware, a Remote Access Trojan that hides its presence for a long time by disabling the operation of an updated antivirus program. By generating fake alerts, it triggers and tricks users into installing the latest version of application software or virus protection software, meanwhile dropping harmful payloads in the registry editor. Once the user boots the system, the payloads are executed.
Many Malspam campaigns have been reported dropping the NanoCore RAT malware via MS Office documents, archives, etc. However, user action (clicking on attachments) is required for the infection to be successful.
Impact
Unauthorized Remote Access
Indicators of Compromise
IP(s) / Hostname(s)
- 184.75.209[.]163
- 185.163.45[.]48
URLs
- hxxp://testwork.kozow[.]com
Email Address
- ivona.rasic[@]superknjizara[.]hr
- noreply[@]fastpay[.]net
- ingodwetrust092[@]gmail[.]com
Malware Hash (MD5/SHA1/SH256)
- 812b23fd290cf4d50506b7509bce31ba
- 170146fa59c0982718a9b29521d1c7c7
- 3022ff8c4661ef35acea8a6dcf5a5fed
Remediation
- Block the threat indicators at their respective controls.
- Do not download/click on email attachments coming from untrusted sources.
- Always scan downloaded files prior to execution.