Cyber malefactors have been observed unleashing a pernicious program known as NiceRAT, which conscripts compromised devices into a nefarious botnet.
These incursions, zeroing in on South Korean users, disseminate the malware under the pretense of pirated software, such as counterfeit Microsoft Windows, or utilities masquerading as license verification tools for Microsoft Office.
“Given the clandestine nature of these crack applications, the exchange of information amongst unsuspecting users significantly aids in the malware’s proliferation independent of the original distributor,” elucidated the AhnLab Security Intelligence Center (ASEC).
“Since threat actors typically provide methods to circumvent anti-malware defenses during the dissemination phase, it becomes arduous to detect the propagated malware.”
Alternative dissemination methodologies employ a botnet comprising commandeered computers infiltrated by a remote access trojan (RAT) identified as NanoCore RAT, echoing antecedent activities that harnessed the Nitol DDoS malware for spreading another pernicious program dubbed Amadey Bot.
NiceRAT, an actively evolving open-source RAT and information-stealing malware scripted in Python, exploits a Discord Webhook for command-and-control (C2) functionalities, enabling cyber adversaries to exfiltrate sensitive data from the compromised systems.
First introduced on April 17, 2024, the current iteration of the software is version 1.1.0. It also comes in a premium variant, as per its developer, implying its promotion under the malware-as-a-service (MaaS) paradigm.
This development transpires amidst the resurgence of a cryptocurrency mining botnet known as Bondnet, detected utilizing high-efficiency miner bots as C2 servers since 2023, by configuring a reverse proxy with an altered version of a legitimate utility called Fast Reverse Proxy (FRP).
