144 lines
No EOL
6 KiB
JSON
144 lines
No EOL
6 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-10-21",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Malspam delivers NanoCore RAT",
|
|
"publish_timestamp": "1477049706",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1477049683",
|
|
"uuid": "5809fbe9-c034-41a2-999f-450a950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#440055",
|
|
"local": "0",
|
|
"name": "ms-caro-malware:malware-type=\"RemoteAccess\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#4bec00",
|
|
"local": "0",
|
|
"name": "enisa:nefarious-activity-abuse=\"remote-access-tool\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477049422",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5809fc4e-5904-4385-9f53-4520950d210f",
|
|
"value": "http://www.dshield.org/forums/diary/Malspam+delivers+NanoCore+RAT/21615/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477049451",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5809fc6b-93b4-448d-ba49-442b950d210f",
|
|
"value": "NanoCore is a Remote Access Tool (RAT) that's currently available for a $25 license [1]. However, like many other RATs, NanoCore has been used by criminal groups to take over Windows computers. Beta versions of NanoCore RAT have been available to criminals since 2013 [2], and a cracked full version was leaked last year in 2015 [3].\r\n\r\nSince then, the NanoCore RAT has been used in targeted phishing campaigns that are subtle and harder to detect [4]. Earlier this year, we saw it used in tax-themed emails as part of an increased distribution of the full-featured NanoCore RAT through phishing [5].\r\n\r\nSince then, I haven't noticed any public reporting on specific campaigns, even though I've noticed NanoCore RAT-based phishing emails on a near-daily basis. These recent emails don't seem subtle, and the vast majority of them are blocked. I consider these recent examples malicious spam (malspam). They either have attached zip archives containing an executable file, or they have attached Microsoft Office documents with malicious macros designed to download and execute the NanoCore RAT. One such malspam with a zip attachment was recently sent to my malware-traffic-analysis.net email address. That one was easily caught by my spam filter.\r\n\r\nDue to a relative lack of publicly-posted info on recent NanoCore RAT malspam campaigns, I thought I'd examine the email I received for today's dairy."
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477049480",
|
|
"to_ids": true,
|
|
"type": "email-attachment",
|
|
"uuid": "5809fc88-4394-4670-87ce-49c8950d210f",
|
|
"value": "TKP-PO 332-2016131023.zip"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Examining the email headers, we find the email came from a mail server at ps1.700tb.com on 119.18.103.60.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477049551",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "5809fccf-264c-4082-8de2-4b8b950d210f",
|
|
"value": "119.18.103.60"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477049611",
|
|
"to_ids": true,
|
|
"type": "filename|sha256",
|
|
"uuid": "5809fd0b-1f20-4cd1-986a-43ad950d210f",
|
|
"value": "TKP-PO 332-2016131023.exe|69c32f18a33f922e253d39025e773211223c9af832314103410ca9eccf1a90f2"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Running the malware on a host in my lab environment gave me post-infection activity on 137.74.157.90 as encoded or encrypted traffic over TCP port 33338.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477049642",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5809fd2a-045c-4e1d-bc64-4997950d210f",
|
|
"value": "137.74.157.90"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 69c32f18a33f922e253d39025e773211223c9af832314103410ca9eccf1a90f2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477049683",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5809fd53-de94-4611-8791-448b02de0b81",
|
|
"value": "7ee0f986fce3e685fafd89619fe548f139749b21"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 69c32f18a33f922e253d39025e773211223c9af832314103410ca9eccf1a90f2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477049684",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5809fd54-ba2c-496b-92a0-4bf702de0b81",
|
|
"value": "568177c47e85e9343870f7c1625c8cf4"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 69c32f18a33f922e253d39025e773211223c9af832314103410ca9eccf1a90f2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1477049684",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5809fd54-c538-4e9d-9ae8-4c2e02de0b81",
|
|
"value": "https://www.virustotal.com/file/69c32f18a33f922e253d39025e773211223c9af832314103410ca9eccf1a90f2/analysis/1477031597/"
|
|
}
|
|
]
|
|
}
|
|
} |