A new version of NanoCore RAT has been found targeting Windows systems. Dubbed as NanoCore 18.104.22.168, the sample is capable of performing various nefarious activities.
How does it spread?
Attackers are using a malicious MS Word document named as “eml_-_PO20180921.doc” to spread the malware variant. When a user clicks on a document, it displays a warning message - in yellow color - on the top of the Window.
Once the user clicks on the ‘Enable’ button displayed in the warning message, it downloads and executes the malicious VBA code in the background. The VBA code is obfuscated and is executed from the function “Document_Open.”
This VBA code later downloads an EXE file from a specific URL and saves it in “%temp% CUVJN.exe”. Once downloaded, this EXE file executes the NanoCore 22.214.171.124 malware on a victim’s computer.
The NanoCore capabilities include, “registry edit, process control, upgrade, file transfer, keylogging, password stealing, etc. on a victim’s machine,” Security Boulevard reported.
Removing the malware
Users are advised to delete the value ‘DHCP Manager" from the system registry “HKCUSoftwareMicrosoftWindowsCurrentVersionRun” or “HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun” in order to remove the malware. Then, the system would need to be restarted in order for the change to take effect.
Additionally, deleting the folder “%AppData%MicrosoftWindowsScreenToGif” and the folder created in first step will help users in preventing further spreading of the malware.