Newly discovered NanoCore 1.2.2.0 RAT found being distributed via MS Word documents

• Attackers are using a malicious MS Word document named as “eml_-_PO20180921.doc” to spread the malware variant.
• The NanoCore 1.2.2.0 capabilities include registry edit, process control, upgrade, file transfer, keylogging, password stealing, and more.

A new version of NanoCore RAT has been found targeting Windows systems. Dubbed as NanoCore 1.2.2.0, the sample is capable of performing various nefarious activities.

How does it spread?

Attackers are using a malicious MS Word document named as “eml_-_PO20180921.doc” to spread the malware variant. When a user clicks on a document, it displays a warning message - in yellow color - on the top of the Window.

Once the user clicks on the ‘Enable’ button displayed in the warning message, it downloads and executes the malicious VBA code in the background. The VBA code is obfuscated and is executed from the function “Document_Open.”

This VBA code later downloads an EXE file from a specific URL and saves it in “%temp% CUVJN.exe”. Once downloaded, this EXE file executes the NanoCore 1.2.2.0 malware on a victim’s computer.

The NanoCore capabilities include, “registry edit, process control, upgrade, file transfer, keylogging, password stealing, etc. on a victim’s machine,” Security Boulevard reported.

Removing the malware

Users are advised to delete the value ‘DHCP Manager" from the system registry “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” or “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” in order to remove the malware. Then, the system would need to be restarted in order for the change to take effect.

Additionally, deleting the folder “%AppData%MicrosoftWindowsScreenToGif” and the folder created in first step will help users in preventing further spreading of the malware.