Briefing Malware

Briefing Malware - 18/01/2022

18th of January 2022 - Winners of the 3rd week : Redline, NjRAT and Nanocore.

Some links points at extended actionnable intelligence (Threat Bulletins, TTPs, signatures, etc) on our Threat Intelligence Platform Anomali. This access is limited to our clients.


Threat statistics report

Publication date:


Distribution :


What's new?

Nanocore (ID Mitre: S0336) / AsyncRAT (NC)

Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure

#Cisco Talos analyzed a malicious campaign spotted at the end of October 2021 that delivered some Remote Access Trojan (#RAT), mostly across United States, Italy and Singapore.

The threat actor, which has not been named by Talos, deployed a distributed infrastructure depending on cloud resources such as #Amazon AWS EC2 or #Microsoft Azure instances to host their Command-And-Control (#C&C) servers and even deployed some web servers to host malwares like #Nanocore, #AsyncRAT or #Netwire. They created malicious DNS subdomains via #DuckDNS, a free dynamic DNS service, to resolve download servers.

A #PowerShell dropper has been identified, built with #Hcrypt crypter, in the infection chain which was already been spotted by #TrendMicro researchers in a previous campaign named Water Basilisk (source). Hcrypt is considered as a #crypter-as-a-service and give access to sophisticated malware deployment with a minimal investment to several threat actors having not enough time or resources for that.


Download the report