Tuesday, January 19, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

NanoCore Trojan is protected in memory from being killed off

January 16, 2019
in Internet Security
NanoCore Trojan is protected in memory from being killed off
587
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

The NanoCore Remote Access Trojan (RAT) is being spread through malicious documents and uses an interesting technique to keep its process running and prevent victims from manually killing the system, researchers say.

The cybersecurity team from Fortinet recently captured a sample relating to the spread of NanoCore RAT in the form of a malicious Microsoft Word document.

You might also like

OpenWRT reports data breach after hacker gained access to forum admin account

Hackers ‘manipulated’ stolen COVID-19 vaccine data before leaking it online

Google Cloud: We do use some SolarWinds, but we weren’t affected by mega hack

Developed in the .Net framework under an author known as “Taylor Huddleston,” the Trojan has landed its operator in jail for peddling the malware on underground forums.

While the Arkansas man is due to serve close to three years in prison, his legacy continues on in the wild without his influence.

The malicious document, “eml_-_PO20180921.doc,” is spread via phishing campaigns and contains auto-executable malicious, obfuscated VBA code which initiates the Trojan.

If opened, the document contains a security warning at the top informing the would-be victim that macros have been disabled, but should that individual click “enable content,” the infection process begins.

According to Fortinet, the NanoCore Trojan, in its latest 1.2.2.0 version, is downloaded from the wwpdubai.com domain as part of an .exe file which is then saved in a Windows temporary folder.

See also: Police can’t force you to unlock your phone by iris, face or finger

The file, CUVJN.exe, calls a daemon process. However, before this process begins, the executable will check to see if the process already exists and whether or not Avast antivirus software is running.

If the infected system passes these checks, the code will then extract an archive within the executable and retrieve a PE file which is the actual NanoCore RAT.

Two processes will be running at this stage; Netprotocol.exe, which is a copy of CUVJN.exe and is the daemon designed to unzip NanoCore, alongside dll.exe, which is a very interesting daemon process in itself.

Dll.exe is designed to keep the Trojan running. The process starts netprotocol.exe, injects NanoCore into memory, and runs the code. One of the process’ classes is called “ProtectMe” with a function “ProtectMe.Protect()” which prevents the process from being killed off by the victim.

CNET: FCC’s Ajit Pai won’t meet Congress about phone-tracking scandal

During testing, Fortinet researchers could not kill the netprotocol.exe process at all — despite it not being a system service or containing higher privileges than the user.

It turns out that the process uses a function called ZwSetInformationProcess, from NTDLL.dll, is able to modify the state of the process and prevent it from being disabled.

“There is a function named “RunPE.doIt()” that is used to run and protect the NanoCore RAT client. It calls the API CreateProcessA to start a new “netprotocol.exe” and then suspends it,” the researchers say. “Next, it allocates memory in the new “netprotocol.exe” and puts the entire NanoCore into the newly allocated memory using the API WriteProcessMemory. Finally, it modifies the entry point of the thread context to NanoCore’s entry point and resumes NanoCore running inside the second “netprotocol.exe” by calling the API ResumeThread.”

TechRepublic: Smart building security flaws leave schools, hospitals at risk

First discovered in 2013, NanoCore is a rather nasty piece of malware which is able to perform a variety of functions. These include a keylogger, a password stealer which can remotely pass along data to the malware’s operator, the ability to tamper with and view footage from webcams, screen locking, the download and theft of files, and more.

The latest version of the Trojan was released in 2015 with premium plugins included, before the arrest of the operator in 2016.

Previous and related coverage

Credit: Source link

Previous Post

Flight Booking System Flaw Affected Customers of 141 Airlines Worldwide

Next Post

Know which authentication methods to use for your hybrid cloud

Related Posts

OpenWRT reports data breach after hacker gained access to forum admin account
Internet Security

OpenWRT reports data breach after hacker gained access to forum admin account

January 19, 2021
Hackers ‘manipulated’ stolen COVID-19 vaccine data before leaking it online
Internet Security

Hackers ‘manipulated’ stolen COVID-19 vaccine data before leaking it online

January 19, 2021
Oracle takes a new twist on MySQL: Adding data warehousing to the cloud service
Internet Security

Google Cloud: We do use some SolarWinds, but we weren’t affected by mega hack

January 19, 2021
Singapore tightens cyber defence guidelines for financial services sector
Internet Security

Singapore tightens cyber defence guidelines for financial services sector

January 18, 2021
Multiple backdoors and vulnerabilities discovered in FiberHome routers
Internet Security

Multiple backdoors and vulnerabilities discovered in FiberHome routers

January 18, 2021
Next Post
Configure multifactor authentication for IBM Cloud Node.js applications

Know which authentication methods to use for your hybrid cloud

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Using ‘federated learning’ to enhance predictions of COVID-19 outcomes
Machine Learning

Using ‘federated learning’ to enhance predictions of COVID-19 outcomes

January 19, 2021
OpenWRT reports data breach after hacker gained access to forum admin account
Internet Security

OpenWRT reports data breach after hacker gained access to forum admin account

January 19, 2021
How to become a Digital Strategy Leader
Data Science

How to become a Digital Strategy Leader

January 19, 2021
AI/Machine Learning Market Size, Key Players, Segmentation, Demand, Growth, Trend, Opportunity and Forecast to 2027 – Murphy’s Hockey Law
Machine Learning

AI/Machine Learning Market Size, Key Players, Segmentation, Demand, Growth, Trend, Opportunity and Forecast to 2027 – Murphy’s Hockey Law

January 19, 2021
How to Build a Marketing System of Record
Digital Marketing

How to Build a Marketing System of Record

January 19, 2021
Hackers ‘manipulated’ stolen COVID-19 vaccine data before leaking it online
Internet Security

Hackers ‘manipulated’ stolen COVID-19 vaccine data before leaking it online

January 19, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Using ‘federated learning’ to enhance predictions of COVID-19 outcomes January 19, 2021
  • OpenWRT reports data breach after hacker gained access to forum admin account January 19, 2021
  • How to become a Digital Strategy Leader January 19, 2021
  • AI/Machine Learning Market Size, Key Players, Segmentation, Demand, Growth, Trend, Opportunity and Forecast to 2027 – Murphy’s Hockey Law January 19, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates