Dark-web peddlers sell popular RAT for US$20

News by Chandu Gopalakrishnan

Researchers at Proofpoint have found a widely-used remote access trojan being sold for below US$20 on underground forums

How cheap could a potent remote access trojan (RAT) be? Researchers at Proofpoint found a widely-used one being sold for below US$20.

Tracking a medium-volume email campaign that used fake invoices as lures, the researchers found that attackers planted a RAT called "NanoCore" on compromised systems. Their main target was manufacturing, with a noteworthy month-long campaign in October targeting the sector in Germany. 

Further research found that the malware is marketed on underground forums for a mere US$19.99 (£15.30). 

"This low price combined with a design focused on ease-of-use means that attackers can cheaply get up and running with get NanoCore and quickly begin using it in malware campaigns. This has contributed to NanoCore’s prevalence for many years amongst numerous threat actors even before we began observing more widespread RAT distribution over the last 18 months," read a Proofpoint blog post.

"NanoCore is a fairly ancient RAT with some potent capabilities. Over its six year history, it’s been available for prices as low as ‘free’," observed Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre).

"NanoCore is designed to infect Windows- based systems, but needs a trigger point for its installation. As highlighted by the ProofPoint report, that trigger point can be a phishing attack, but that this instance appeared to focus on manufacturing companies and included phishing attempts in multiple emails is a significant variation," he told SC Media UK.

The lure in the German campaign was an invoice email and used a combination of both malicious attachments and URLs.  

"Malicious attachments contained a compressed executable (using ".Z" extensions) while malicious links would lead the recipient to download the malware hosted on onedrive.live.com," said the post.

Isolating the networks where insecure communication occurs from those of plant operations --  including limiting public internet access and email usage to computers with no physical access to a plant network -- would limit the damage caused by APTs and RATs, explained Mackey. 

"Once the networking has been isolated, a regimen should be implemented which reviews all the software assets for unpatched vulnerabilities, unintended external communication capabilities, and incomplete usage of security flags. The results of this review should then form part of an overall cybersecurity threat model for the plant which then incorporates awareness of latent security risks in firmware, applications and systems."

While this campaign was not entirely focused on manufacturing, researchers found that the sector was preferred one "by a large margin".

"Manufacturing, with its complex supply chains and frequently sprawling network infrastructure, is an attractive and potentially lucrative industry at risk of infection and exploitation via Nanocore and other malware," the blog post read.

"Manufacturing companies tend to have computing and control systems with long lifespans. These systems are either intended to be remotely managed and may lack comprehensive plant level IT or cyber- security expertise," noted Mackey. 

"These attributes can make for an appealing target for anyone wishing to disrupt a manufacturing supply chain as we saw with the Norwegian aluminium supplier Norsk Hydro earlier this year."

The malware’s low cost and ease of use have given it staying power in the market, and has been popular for years since Proofpoint noticed its distribution 18 months ago, observed the researchers. According to them, it gives an attacker a "great deal of control" and an ongoing presence on a network after a successful attack. 

Potent malwares becoming cheaper to by is not at all surprising, observed Cybereason CSO Sam Curry.

"It happens with all products, light or dark, and we’ve seen it on the pricing of malware, of credit card numbers for sale and now on fraud-as-a-service. This is what all markets look like when they get mature: cheap, ubiquitous and complex economic ecosystems with a high degree of specialisation," he told SC Media UK. 

"In the end, the price point of all software, malicious or productive, is on a downward trend. But, with the security threats increasing – careful security reviews of all software assets and deployment configurations is a critical task," said Mackey. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews