nccTrojan

The nccTrojan threat has been used in a series of attacks believed to be carried out by a Chinese-backed APT (Advanced Persistent Threat) group known as TA428. The cybercriminals are targeting military-related enterprises and public institutions located in several Eastern European countries and Afghanistan. The goal of the threatening campaigns appears to be data-collection and cyber espionage, with the threat actors dropping six different malware threats on the breached machines.

Initial access to the devices is achieved through highly-targeted spear-phishing campaigns. The TA428 hackers craft custom lure emails to be used against specific organizations. Some phishing emails even contained confidential or private information that is not publicly available. When victims execute the weaponized Word documents attached to the lure emails, it triggers a corrupted code exploiting the CVE-2017-11882 vulnerability. Details about the attacks and the hurtful arsenal of the hackers were released in a report b security researchers.

Analysis of nccTrojan

The nccTrojan malware has already been attributed to TA428. In fact, the threat appears to be actively developed by the attackers. The installation of the threat onto the breached device begins with the download of several files from the Command-and-Control (C2, C&C) server. The executable is delivered in the form of a .cab file with an arbitrary name. The expand system utility is needed to unpack the delivered file into an existing directory belonging to a legitimate software product. In addition, the hackers also drop a special installer component tasked with registering nccTrojan's DLL as a service. Doing so ensures that the threat will be loaded automatically on every system startup.

After becoming active, the main module of nccTrojan will attempt to establish contact with a list of hardcoded C2 addresses. All subsequent communication will be transmitted to the server that responds first. During the initial contact, the threat also sends various general information about the breached system, such as the computer name, IP address, user name, malware version, system localization data and more. The nccTrojan also provides the attackers with backdoor functionality, the ability to execute commands, launch executable files, kill select processes, manipulate the file system, fetch additional payloads from the C2 and more.