Threat Research

Botnet Installs NiceRAT Malware

Ahnlab

ASEC reports that botnets have been used since 2019 to install NiceRAT via long‑running campaigns driven by NanoCore and similar malware. The article explains how these botnets are distributed through Korean blogs and game servers, how NiceRAT is installed and persists, and how data is leaked to threat actors using Discord as a C2 channel. #NiceRAT #NanoCore #Nitol #AmadeyBot #Discord

Keypoints

  • Botnets continue to be used to install NiceRAT, with NanoCore and other malware enabling long‑running botnet campaigns.
  • Malware distribution relies on Korean blogs and file-sharing services, disguising tools as Windows license verification or free game servers.
  • Multiple botnet components (e.g., svvss.exe, system245.exe, coremm.exe, ixpoer.exe) connect to C2 servers such as gandigod.ddns[.]net and gandigod1.ddns[.]net.
  • Botnets can periodically install additional malware (e.g., NiceRAT and Nitol) even after long time gaps in distribution, bypassing some C2 blocks.
  • NiceRAT is Python‑based and performs anti‑debugging, VM detection, startup autostart, and system/browser/crypto information gathering for exfiltration.
  • Collected data is sent to the threat actor via Discord webhooks, with specific C2 URLs and wallets targeted for data leaks.
  • Users are advised to avoid cracks and cracks’ distribution channels, and to remediate via V3, particularly stopping Task Scheduler where botnets commonly register persistence.

MITRE Techniques

  • [T1053] Scheduled Task – The botnet creates tasks by adding IAMP Service and SMTP Service to the Task Scheduler. “The executed NanoCore adds IAMP Service and SMTP Service to the Task Scheduler.”
  • [T1547] Boot or Logon Autostart – Startup program registration is used to maintain persistence. “startup program registration to maintain persistence.”
  • [T1497] Virtualization/Sandbox Evasion – Anti‑debugging and VM detection are used to aid stealth. “anti-debugging detection, virtual machine detection…”
  • [T1082] System Information Discovery – NiceRAT collects system information, including IP via api.ipify and location data. “collects system information, browser information, and cryptocurrency information… accesses hxxps://api.ipify[.]org to collect the IP information.”
  • [T1071.001] Web Protocols – C2 communications occur over web services, notably Discord webhooks. “leaks collected information to the threat actor, using Discord as a C&C server to communicate.”
  • [T1105] Ingress Tool Transfer – The botnet can download and install additional malware over time, even after long distribution gaps. “Normally, when downloading additional malware strains… However, botnet-type malware strains can periodically install additional malware types regardless of the time.”

Indicators of Compromise

  • [File] Botnet malware file names – svvss.exe, system245.exe, coremm.exe, ixpoer.exe
  • [Domain] C2 and distribution domains – gandigod.ddns[.]net:3255, gandigod.ddns[.]net:5407, gandigod1.ddns[.]net:3255
  • [URL] C2 webhooks used for C2 communication – https://discord.com/api/webhooks/1241518194691280966/tDcIZkMJSrBlrb0PjY98f6vjRIpIa489tkwC5M9GdJFAzOG4-yLh99uzd7gvAG5ZYa3G
  • [URL] Additional C2 webhook/address used in logs – https://discord.com/api/webhooks/1242723656166146119/stYCi_haHIy8MpHXGkrMX0f_bp4-yAEIlnWaINtua0M_sgvcXVRXo77MzCFOIPUe8xT7
  • [MD5] Sample malware hashes – 5b72efdb6a374d4c35ab8ac88e519c9c, 16014adaf287779265e33c698287046a

Read more: https://asec.ahnlab.com/en/66790/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint