The ‘RATicate’ Hacking group caught using NSIS installers to exploit RATs


The ‘RATicate’ hacking group using NSIS installers to exploit a Malware that can steal data via Remote Administrator Tool

Due to the current pandemic situation of COVID-19 all around the globe, the cybercriminals have got their arms into constantly targeting the organizations to loot their confidential data for monetary benefits. Five individual campaigns are recorded from November of 2019 to January 2020, an unidentified group sent out waves of installers that drop remote administration tool (RAT) and information-stealing malware on victims’ computers.

The campaigns targeted industrial companies in Europe, the Middle East, and the Republic of Korea. According to Sophos researchers, these campaigns aimed to be exploited by the ‘RATicate’ Hackers group. RATicate has abused the NSIS (Nullsoft Scriptable Install System) installers to deploy RATs (Remote Access Tools) and information-stealing malware to launch several waves of attacks on industrial companies.

What are NSIS installers?

Nullsoft Scriptable Install System (NSIS) is a script-driven installer authoring tool for Microsoft Windows backed by Nullsoft, the creators of Winamp. NSIS is released under a combination of free software licenses, primarily the Zlib license. It has become a widely used alternative to commercial proprietary products like InstallShield, with users including, Dropbox, Google, Ubisoft, FL Studio, BitTorrent, and McAfee.

The campaign uses the NSIS installer after the target opens the documents attached in those phishing emails sent by the attackers with the common extensions like “.ZIP, .IMG, .UDF, .RTF, and.XLS files.”

Sophos Labs

[Image Source: Sophos Labs]

Moreover, to download the malicious installers from a remote server into the target systems, the hackers use the XLS and RTF malicious documents in the second infection chain.

Experts at Sophos have explained that

We considered two possible scenarios: either the malicious NSIS package is a generic packer sold on dark forums; or, the same threat actor is using a custom loader to deploy different payloads in a variety of their attacks.

To be able to communicate with multiple software components, the NSIS installers use a specialized type of plugin architecture that gives the possibilities to kill processes, execute command line-based programs, loading DLL files, and much more.

Based on the payloads used by RATicate, it’s clear that the campaigns run by the group are intended to gain access to and control of computers on the targeted companies’ networks. The targets identified from the collected emails sent by these campaigns include:

The experts added

  • An electrical equipment manufacturer in Romania;
  • A Kuwaiti construction services and engineering company;
  • A Korean internet company;
  • A Korean investment firm;
  • A British building supply manufacturer;
  • A Korean medical news publication;
  • Korean telecommunications and electrical cable manufacturer;
  • A Swiss publishing equipment manufacturer;
  • A Japanese courier and transportation company.

The security experts have also stated that the new wave of attacks of the RATicate group that were detected in March 2020 clearly indicates that to trick the potential victims into installing malware on their systems, they are using next-level tricks and exploits, including the COVID-19 related baits as well.

However, we suggest you modify your passwords regularly and apply for 2-factor authentication if available, to detect malware’s purchase or download a secured Anri-virus that gives you real-time protection.


About Author

Be Ready for the challenge

Notify of
Inline Feedbacks
View all comments