Hackers Weaponize Authentication Tools To Deliver NiceRAT Malware via Botnet

Botnets, traditionally used for DDoS attacks with malware like Nitol, are now being built with malware capable of data exfiltration and installing additional malware, confirmed by the discovery of NiceRAT malware being installed through a popular botnet active since 2019. 

The newly formed botnets utilize malware such as NanoCore and Emotet to extend their capabilities beyond traditional DDoS attacks. 


Attackers distribute malware disguised as legitimate software, such as game free servers or Windows authentication tools, to build botnets, which are often found on domestic file sharing sites or blogs. 

Malicious code distributed disguised as a game free server

Once executed, the malware creates a copy of itself and registers task schedules to ensure persistence on the infected machine by fooling users into installing malicious software that allows attackers to control their devices remotely.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

AhnLab identified a botnet that distributes additional malware even after a long time.

The botnet, primarily composed of NanoCore malware, infects machines and uses them to download and install new malware, including the recently discovered NiceRAT and the older Nitol malware first seen in 2019. 

C&C server for botnet-type malware that installs NiceRAT

The behavior differs from that of traditional malware downloaders, where the download functionality often ceases after the C&C server is blocked, which highlights the persistent threat posed by botnets and the need for advanced security solutions that can detect and block such attacks.

NanoCore installing Nitol malware

NiceRAT, a Python-based RAT, employs anti-debugging and virtual machine detection to evade analysis by gathering system and browser information, including cryptocurrency details, and leaking it to the attacker. 

 User information collected and stored

The malware leverages Discord as a C&C server, communicating via webhooks, targeting cryptocurrency wallets, and stealing user information for unauthorized access.

Finally, the stolen data is uploaded to the attacker’s server.  

Attackers are exploiting user-shared cracks, which often bypass antivirus by instructing users to disable it during installation, which allows them to build botnets that can be leveraged to easily distribute new malware. 

The cracks themselves are malware disguised as software activation tools, and due to their propagation through information sharing, they’re difficult to track back to the initial source, which enables attackers to establish persistent botnets for future malware deployment.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo