Thursday, January 27, 2022

Nitol Malware Family rips Code from Public Sources

Microsoft has discovered that a lot of the code applied by the Nitol malware family is copied from free malware.  Microsoft posted portions of the code online this week where similar lines used for denial of service attack functionality are present in Nitol and on the sites in question.

The Nitol botnet was recently taken down by Microsoft after it was given permission by the U.S. District Court for the Eastern District of Virginia to take charge of the 70,000 sub domains hosting malware on the domain.

Microsoft has been looking into supply chain protection for some time—its recent Security Intelligence Report concentrated on malware compromising third-party suppliers, P2P networks and sites—and accounted in September that it had exposed Nitol malware pre-loaded on computers built in China running fake versions of the Windows operating system.

The subdomains, meanwhile, were hosting more than 500 strains of malware, including DDoS malware, keyloggers, rootkits and more.

The compromised machines then issued commands to attack domains by a assortment of means, including SYN, UDP, TCP, HTTP and ICMP floods. The C&C server can also send additional executables or updates to infected machines, or force a browser to surf to a compromised URL.

About FastFlux

Owner of ZeroSecurity, interested in programming, malware analysis and penetration testing. If you would like to write for the ZeroSecurity team, please use the contact form above.

Check Also

New FastPOS malware targeting Point-of-Sale systems

Experts have disclosed a new category of malware, labeled “FastPOS,” that has the ability to quickly …