Attackers are actively using malicious software called Nicarat to create a botnet from infected devices. These attacks are aimed at users from South Korea and are distributed through local file sharing and blogs under the guise of hacking programs, Windows activation tools, free gaming servers, etc.
According to recent report by Ahnlab (ASEC) security center, the spread of harmful software is mainly by users themselves after attackers embed a malicious code into a file.
Since the distributed tools are most often incompatible with antiviruses, users are directed to disable or remove their antivirus software for the malicious programs to work properly. This puts users at risk as security researchers struggle to detect and analyze the threat hidden in the files.
Furthermore, users who fall for the hackers’ tactics follow the instructions to disable or delete their protective software, making it easier for attackers to target more victims during the delay in threat detection.
Additional methods of distributing Nicarat include using a botnet of infected computers, remotely controlled through the Trojan Nanocore Rat.
Nicarat is a rapidly evolving malware with open source written in Python. It can detect virtual machines, create scheduled tasks in the planner for persistence, and collect various system information such as IP addresses, location, browser details, and cryptocurrency information which is sent to attackers through Discord servers.
The first version of Nicarat was released on April 17, 2024, and the current version is 1.1.0. The developer also offers a premium version, indicating the use of the Malicious Service Model (MAAS).
Users are advised to exercise caution when launching programs downloaded from file-sharing platforms, blogs, and other unreliable sources. If the system is already infected, it is recommended to install antivirus software and remove any suspicious entries from the Windows planner.