The NanoCore Remote Access Trojan (RAT) is being spread through malicious documents and uses an interesting technique to keep its process running and prevent victims from manually killing the system, researchers say.
The cybersecurity team from
Fortinet recently captured a sample relating to the spread of NanoCore RAT in the form of a malicious Microsoft Word document.
The malicious document, "eml_-_PO20180921.doc," is spread via phishing campaigns and contains auto-executable malicious, obfuscated VBA code which initiates the Trojan.
If opened, the document contains a security warning at the top informing the would-be victim that macros have been disabled, but should that individual click "enable content," the infection process begins.
According to Fortinet, the NanoCore Trojan, in its latest 1.2.2.0 version, is downloaded from the
wwpdubai.com domain as part of an .exe file which is then saved in a Windows temporary folder.
The file, CUVJN.exe, calls a daemon process. However, before this process begins, the executable will check to see if the process already exists and whether or not Avast antivirus software is running.
If the infected system passes these checks, the code will then extract an archive within the executable and retrieve a PE file which is the actual NanoCore RAT.
Two processes will be running at this stage; Netprotocol.exe, which is a copy of CUVJN.exe and is the daemon designed to unzip NanoCore, alongside dll.exe, which is a very interesting daemon process in itself.
Dll.exe is designed to keep the Trojan running. The process starts netprotocol.exe, injects NanoCore into memory, and runs the code. One of the process' classes is called "ProtectMe" with a function "ProtectMe.Protect()" which prevents the process from being killed off by the victim.
