Request a Demo
Rewterz
Rewterz Threat Advisory – CVE-2021-23382 – Node.js postcss Module Denial of Service
April 27, 2021
Rewterz
Rewterz Threat Alert – Formbook Malware – Active IOCs
April 27, 2021

Rewterz Threat Alert – Nanocore RAT – Active IOCs

Severity

Medium

Analysis Summary

Nanocore is a high-risk RAT (remote access tool) that provides attackers with user information like device name and OS. Malicious activities like hijacking webcam and microphone, manipulating confidential files, and stealing login credentials are performed by this malware. The nanocore attack starts with a phishing attempt where a victim unwittingly downloads or clicks on an attachment, the trojan is uploaded on the device, business-critical data and financial information of the victim are stolen through the keylogger, and the information is moved to another server that is owned by the hackers (initiating ransomware).

Impact

  • Credential Theft
  • Unauthorized Access
  • Theft of Sensitive Information

Indicators of Compromise

IP

  • 5[.]79[.]72[.]163
  • 172[.]245[.]45[.]28
  • 31[.]210[.]21[.]252
  • 13[.]107[.]42[.]12
  • 162[.]159[.]133[.]233
  • 162[.]159[.]130[.]233
  • 13[.]234[.]19[.]200
  • 140[.]82[.]121[.]3
  • 45[.]14[.]226[.]221
  • 162[.]159[.]135[.]233

SHA-256

  • 604c136af82b7db06cad322c69245e95949996913e61eac7ebba3afc8ed9bafd
  • e48629bdaa203994ac62bb4e4eec52e7b83afb30be4e512575a53994f169d627
  • 698d686ce288fb2943f7587b30d1dfa01f0ba1f5e3de8be766770ee98f945acf
  • e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  • d1d2f731610302e9544bde2ab804a4d56bb534d0ebb03b81a3168aa016e02653
  • 02e09cc51184e588ff0b53fd7fe85ccb135ba0f7f3c56d8774ad33509afc26e7
  • d6115967cb6d42bcd92e2751bafb4a2560d393c81c48c8d0db54e3c7497a27b8
  • b3304ac19971290559ce891d411fe5d471c3a4bab175580cafdd9723cf9d885a
  • 6ed5d8bcb04e3b9f530e4f4b3d4e09b686117274da11d17a40e81810d26419c9
  • 98686e602b5f75bbceb801ca315617579ad9ffe9e2df66d49673ea35a7e1f343

URL

  • https[:]//u[.]teknik[.]io/ZaZNB[.]txt
  • http[:]//172[.]245[.]45[.]28/img/america/white/againn[.]exe
  • http[:]//twart[.]myfirewall[.]org/taskmgrs[.]exe
  • https[:]//4et3ja[.]am[.]files[.]1drv[.]com/y4mjINkaNf-Zc9sBaj-nab2D-2tIHvNaWWMQU2Hi5WoL7vr2JZuV811GwvnYTJzgWhm9tjxkJj47EGkcx08mnOoQtBl_k9PMD8hqLwOKm1jzqpPiguwRiVsMPxYi8BTWkrpbA6J3ODHvEwvUuSuLRQLmhRsEn4TtVAFFUoxvHccdI9jm6QLq4zc7ntQfgQ9zaaoSUongaRcCpppg6dltBA/CI0911242313[.]PNG[.]z?download&psid=1
  • http[:]//cdn[.]discordapp[.]com/attachments/826630317170229249/827102140865839114/svchhost[.]exe
  • http[:]//cdn[.]discordapp[.]com/attachments/800523301029150750/825206716932161567/csgo[.]exe
  • http[:]//covid19vaccine[.]hopto[.]org/file%20ray[.]exe
  • https[:]//github[.]com/servcloudbackup/framework/raw/main/Update%20of%20the%20OFFICE%20PACK[.]xlam
  • http[:]//45[.]14[.]226[.]221/cdfe/Fack[.]jpg
  • https[:]//cdn[.]discordapp[.]com/attachments/814408945828626445/822323767334273094/VEqScSTKqHP3LQI[.]exe

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment