Activity heightens from NanoCore RAT campaigns

Oct 20, 2016 21:05 GMT  ·  By

Discord, the free VoIP chat service very popular among gamers, is the target of several spam campaigns spreading different types of Remote Access Trojans (RATs), such as NanoCore (Trojan.Nancrat), njRAT (Backdoor.Ratenjay), and SpyRat (W32.Spyrat).

Symantec security researchers say they've discovered several spam campaigns active on the service, and they've notified Discord to have the messages removed.

The fact that spammers are targeting Discord shouldn't surprise gamers, who probably noticed its rising popularity, mainly due to a superior VoIP service that allows gaming clans and communities to talk to each other during games and nightly meetings.

Malware authors targeting the gaming community isn't something new either. According to a recent Trend Micro report, in most instances, crooks are spreading RATs in order to get access to gaming-related accounts so they could steal in-game currency or gear, which they auction off on Dark Web marketplaces.

Discord chat spam leads to NanoCore, njRAT, or SpyRat

Symantec says that spammers are using two approaches. On the one side, they're creating Discord servers and inviting users to their channels, and on the other, they are joining channels and leaving malicious links in the main chat window.

In most cases, these URLs point to malicious applications that are packaged with RATs. The most common payload is NanoCore, which has become a very popular RAT payload after its cracked version leaked online in the spring of 2015.

In fact, NanoCore is a very popular RAT overall, not just on Discord chatrooms. Security researcher MalwareHunterTeam tells Softpedia that "there are [NanoCore RAT] campaigns every day, all weeks, all months, all the year."

NanoCore is a very popular RAT overall

Brad Duncan, the researcher behind the Malware-Traffic-Analysis.net service, also noted this flood of NanoCore malware payloads.

The researcher shared today an analysis of a recent email spam campaign delivering the NanoCore RAT, targeting regular businesses and disguising the malware payload as a purchase order.

The conclusion here is that NanoCore is an accessible tool for all sorts of crooks, be they silly kids spamming Discord chats or more skilled professionals in command of email spam botnets.

Below are just some of the few NanoCore RAT samples MalwareHunterTeam has come across in the past few days.