NanoCore, a lesser-known remote access Trojan (RAT), has recently been spotted being delivered to employees of energy companies in Asia and the Middle East via spear-phishing emails impersonating a legitimate oil company in South Korea.
But, what’s even worse for regular users, the cracked, full version of the RAT (with premium plugins) has been leaked online this month, and we can expect script kiddies to take advantage of the fact.
Symantec researchers have been following the evolution of this particular RAT since its first, alpha version was leaked in December 2013. In the next year and (almost) a half, newer versions have been cracked and leaked in February, March, April, July, August and October 2014, and now in March 2015.
Each time, the use of the RAT, and Symantec detections of it, saw an increasing spike:
There is no reason to believe that this time will be different.
“The cracked versions of NanoCore are now not only available on the dark web but also on the visible web. That means it’s not just the more experienced cybercriminals who can easily access this malware for free, but also script kiddies eager to start their cybercriminal careers,” says Symantec threat intelligence officer Lionel Payet. “The more the NanoCore malware is used and is visible on the underground, the higher the chances that one day it may end up just as well-known as some of the notorious RATs that have come before it.”
So far, more than half of the company’s detections of the malware have been localized in the US and Canada; the rest in Singapore, India, UK, Hong Kong, Australia, Japan, UAE, and Nigeria.
Users – both enterprise and individual ones – are advised to never open attachments or follow links included in unsolicited emails. If you have to, check whether the URL is detected as potentially malicious and whether the attached file carries malware by using online resources and up-to-date AV and security solutions.