MS Word Documents Spreading .Net RAT Malware

A malicious MS Word document, titled “eml_-_PO20180921.doc,” has been found in the wild, and according to researchers at Fortinet's FortiGuard Labs, the document contains auto-executable malicious VBA code. Victims who receive and open the document are prompted with a security warning that macros have been disable. If the user then clicks on “enable content,” the NanoCore remote access Trojan (RAT) software is installed on the victim’s Windows system. According to FortiGuard Labs, the NanoCore RAT was developed in the .Net framework back in 2013. Despite its continued use, the author was convicted by the FBI and sentenced to nearly three years in prison. Researchers captured a sample of this latest version (1.2.2.0), which uses NanoCore to execute malicious behavior. Spreading through phishing campaigns that dupe victims into opening the document, the malware is downloaded from www.wwpdubai.com. Once executed, the VBA code downloads and saves an EXE file from the URL.