How Hackers use icon files to distribute NanoCore Trojan?

NanoCore

NanoCore remote administration trojan is a malicious program that is part of trojan horse viruses. The purpose of NanoCore remote administration trojan is to steal users’ data. The spread of this trojan usually occurs through spam emails and fake updates.

What is NanoCore remote administration trojan?

The NanoCore remote administration trojan hijacks web browsers where it changes the display of information. Entered logins and passwords are stolen and sent to the crooks’ remote server. By stealing logins and passwords, cybercriminals can quickly get hold of users’ electronic information. accounts and transfers money to their wallets.

Cybercriminals use this feature to get users to pay ransom. In addition, the trojan steals saved passwords, autocomplete, and other types of information. The NanoCore remote administration trojan also contains data about Internet browsing (history, cookies, and more) and PC system data.

This malware should be destroyed because the NanoCore remote administration trojan can perfectly mask itself on the computer system.

Name NanoCore remote administration trojan

A kind of Trojan

Damage severe

alternative name NanoCore remote administration trojan

Discovery names BitDefenderTheta (Gen:NN.ZemsilF.34110.sm0@aKk3Wom), ESET-NOD32 (A Variant Of MSIL/GenKryptik.EKVH), Kaspersky (HEUR:Trojan-Spy.MSIL.Noon.gen), Microsoft (Trojan:MSIL/ Vigorf.A)

Symptoms Trojans are designed to stealthily infiltrate the victim’s computer and remain silent, and thus no particular symptoms are clearly visible on an infected machine.

distribution methods Infected email attachments, malicious online advertisements, social engineering, software ‘cracks’.

Consequences of the attack Stolen passwords and banking information, identity theft, the victim’s computer added to a botnet.

NanoCore remote administration trojan Symptoms

The NanoCore remote administration trojan may seem like a safe operation and is difficult to find. However, the PC system starts to show itself with typical common symptoms such as:

  • The processor consumes most of the computer’s system resources.
  • The computer often hangs and crashes.
  • Browsers are full of malicious pop-ups.
  • Random windows start working by itself without user taking any action.
  • The pages in the browser redirect the user to fake sites.

Hackers use icon files to distribute NanoCore Trojan

A new malspam (phishing) campaign uses icon files to deceive victims and have them execute the NanoCore Trojan on their devices unknowingly.

On Thursday, SpiderLabs reported that ethical hacking team Trustwave had seen a new campaign that uses a technique to propagate NanoCore, a Remote Access Trojan (RAT).

advertisement

Τα phishing emails are sent by victims to a ” Purchasing Manager ” Usually partner organizations etc.

Of course, hackers use organizations’ logos etc to show that the email really came from there. They make sure they use it. Phishing emails contain one lien , with the name ” NEW PURCHASE ORDER.pdf *.zipx “. Actually it is binary image files.

Icons contain additional information .RAR format .

Scammers possibly avoid email security filters by using icon files implemented by organizations.

If the victim clicks on the attachment and has one installed on their computer , an executable file is exported , such as the decompressing tool WinZip or WinRAR . 7Zip can also export the file, but it takes more than one effort.

The successful export leads to the growth of NanoCore Trojan version 1.2.2.0 . The trojan was first detected in 2013 and includes various features such as keylogging, information theft, and installs a dropper for additional malware. It can also access and play video from the camera, extract the data and send it to a command and control (C2) server.

Researchers have discovered that the NanoCore Trojan is being sold on underground forums.

Most often, it is distributed through phishing campaigns related to financial issues.

This version of the Trojan can create copies of it in the AppData folder and affect the RegSvcs.exe process. Information stolen by malware is sent to many C2s.

The icon files technique used to distribute the NanoCore Trojan is similar to a previous phishing campaign using .zipx. In 2019, researchers spread malspam campaigns with attachments of another Trojan named Lokibot , .zipx and .JPG extension icons.

Happy Reading!!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top