{ "name": "Malware botnet installing NiceRAT", "slug": "malware-botnet-installing-nicerat", "description": "This report discusses a botnet that has been active since 2019, distributing various malware such as NiceRAT, Nitol, and NanoCore. The botnet is spread through disguised cracked programs, shared on domestic file-sharing sites and blogs, posing as genuine software activators or game server tools. Once infected, the malware connects to command-and-control (C&C) servers and installs additional payloads like NiceRAT, which is a Python-based open-source remote access trojan that steals system information, browser data, and cryptocurrency wallets.", "published": "2024-06-06T05:28:50+00:00", "created_at": "2024-06-06T05:28:50+00:00", "modified_at": "2024-06-06T06:04:33+00:00", "created_at_opencti": "2024-06-06T05:28:50+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-06-06", "botnet", "malware", "nanocore", "nicerat", "nitol" ], "related_entities": { "observables": [ { "id": "", "name": "http://gandigod1.ddns.net:2000" }, { "id": "", "name": "http://gandigod.ddns.net:8080" }, { "id": "", "name": "http://gandigod1.ddns.net:3255" }, { "id": "", "name": "http://gandigod.ddns.net:3255" }, { "id": "", "name": "http://gandigod.ddns.net:5407" }, { "id": "", "name": "http://gandigod.ddns.net:54984" }, { "id": "", "name": "http://gandigod.codns.com:2000" }, { "id": "", "name": "http://gandigod.codns.com:5407" }, { "id": "", "name": "http://gandigod.codns.com:7481" }, { "id": "", "name": "gandigod1.ddns.net" }, { "id": "", "name": "gandigod.codns.com" }, { "id": "", "name": "gandigod.ddns.net" }, { "id": "", "name": "f97123d0450c2a436dff3d4e7c674c366833bcbf4f21ebd387dabba8737d1101" }, { "id": "", "name": "ebe2488e6a5a5e9512d3751ef6ba7e68c08ac072169cf9af0aed74db1f1ef1b0" }, { "id": "", "name": "d58355fed81b0412fb36dff5c210c70b32de67501962df3e350648835e0ae07c" }, { "id": "", "name": "b372d5cadca2b0b212e982615fd8df8a31322651a4057afd701dd075e85dd8e4" }, { "id": "", "name": "c78b22ec1a704a79847ec30404386253b2b2e48563bb7f55ccb8696cb88c60f0" }, { "id": "", "name": "ab5fc09447ea83e7c3f79e8817921eb2170fd2592b8d0f7d03d0934f5dad14e8" }, { "id": "", "name": "787b530fe09cea2be36f78478268eed7dfd62b68b538c62e90f1de1507c8277d" }, { "id": "", "name": "66744784b22d5d1698f9755cdcc226c644aec3a8cd9c551aa7aa5845ed19b614" }, { "id": "", "name": "55f047455519bc3cd96322361a66cd3667293f50811afe16c553382fa443465c" }, { "id": "", "name": "52991b00ba04504a2195d3a12521496170acbc1002176679bf59d3f2890e3d5d" }, { "id": "", "name": "4c25df3edce36c720c3e39d5e3f93ce4035ec7857be76fc4ac9e612168210367" }, { "id": "", "name": "39f06354924b3779b20223a8630a99317786906eb1216e88f2d5f58b3d38cc7f" } ], "malware": [ { "id": "legacy:malware:e5764363f8438144", "name": "NiceRAT", "slug": "nicerat" }, { "id": "legacy:malware:92904e2c306fc6ca", "name": "NanoCore - S0336", "slug": "nanocore-s0336" }, { "id": "fa7f1ae8-a2dc-4be9-914f-e1bb1cc09f69", "name": "Nitol", "slug": "nitol" } ], "attack_patterns": [ { "id": "4f0fd880-1731-42a7-88ed-97bb3c1c1571", "name": "T1136.001" }, { "id": "b15c00da-c412-4429-900c-659de612baf5", "name": "T1543.003" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f", "name": "T1490" }, { "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9", "name": "T1497.001" }, { "id": "32b33067-6566-4b8d-be80-e96f765d84de", "name": "T1059.001" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7", "name": "T1016" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1", "name": "T1057" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" } ] }, "external_refs": [ "https://asec.ahnlab.com/ko/66040/", "https://otx.alienvault.com/pulse/666165328cfbe947ee0a3fa9" ] }