Cyber criminals have been seen utilizing an insidious software known as NiceRAT to hijack infected devices into a botnet.
The assaults, directed at South Korean users, are crafted to spread the malware disguised as pirated programs, like Microsoft Windows, or utilities claiming to offer license confirmation for Microsoft Office.
“Due to the nature of pirated software, information exchange among regular users aids in the dissemination of malware independently from the original distributor,” according to the AhnLab Security Intelligence Center (ASEC) stated.
“As threat actors usually provide instructions to eliminate anti-malware programs during the distribution phase, detecting the disseminated malware becomes challenging.”
Alternate methods of distribution include utilizing a botnet comprising zombie machines infiltrated by a remote access trojan (RAT) known as NanoCore RAT, resembling previous actions that leveraged the Nitol DDoS malware to spread another malware called Amadey Bot.
NiceRAT is an actively designed open-source RAT and stealer malware coded in Python that employs a Discord Webhook for command-and-control (C2), enabling threat actors to extract sensitive data from the compromised system.
Initially launched on April 17, 2024, the present version of the software is 1.1.0. It’s also accessible as a premium release, as per its creator, indicating that it’s promoted using the malware-as-a-service (MaaS) concept.
This development occurs amidst the resurgence of a digital currency mining botnet referred to as Bondnet, which has been utilizing high-performance miner bots as C2 servers since 2023 by configuring a reverse proxy using an altered version of a legitimate tool known as Fast Reverse Proxy (FRP).
About Author
