RAT Targets Energy Industry

Thursday, March 26, 2015 @ 01:03 PM gHale

Energy companies should be on alert because there is a remote access Trojan (RAT) targeting the industry, researchers said.

Multiple variants of NanoCore, in different stages of development, leaked out since attackers started to work on it two years ago.

Mobile RAT Targets iOS, Android
RAT Hides and then Attacks
Malware Team Uses RAT
Faux Security Program is a RAT

The first release that became available on underground forums in December 2013, when much of its functionality was incomplete and new features still had to add in.

Since then, four beta versions came out, and then the fully functional build hit cybercriminal websites in March 2015. It is worth noting the price of this tool is $25 for a copy.

Security researchers from Symantec tracked its activity from the beginning and recorded an increased number of detections in the immediate period following the free availability of NanoCore.

The targeted attacks on the energy industry in Asia and the Middle East started March 6, said Symantec’s Lionel Payet in a blog post.

The bad guys impersonate the address of a legitimate oil company in South Korea in order to add credibility to the fraudulent message, the researchers said.

The Trojan ends up delivered by a malicious RTF or a Word file that exploits an old vulnerability (CVE-2012-0158) in Microsoft Windows Common Controls ActiveX component MSCOMCTL.OCX, which is present in multiple older products from the software giant. Among them, there is SQL Server 2005/2008 and Office 2003 through 2010.

The text document tells the recipient there are revisions to the current contract between the two parties. The subject of the message and the body invite the victim to open the document, thus compromising the machine.

Payet said the cracked variant of NanoCore is currently available not just on the dark web, but also on the visible side of the Internet.

Information collected by Symantec from January 2014 until March 2015, shows most of the NanoCore infections have been in the U.S. (40 percent), followed by Canada (14 percent) and Singapore (9 percent).

Leave a Reply

You must be logged in to post a comment.