MS Word Documents Spreading .Net RAT Malware – Egress’ CTO comments

A malicious MS Word document, titled “eml_-_PO20180921.doc,” which contains auto-executable malicious VBA code and spreads through phishing campaigns has been found by researchers at Fortinet’s FortiGuard Labs. In the case of this malicious MS Word document, victims who open the document are prompted with a security warning that macros have been disable. If the user then clicks on “enable content,” the NanoCore remote access Trojan (RAT) software is installed on the victim’s Windows system. Egress Software’s CTO, Neil Larkins comments:

“This latest strain of NanoCore RAT ( is known to execute a series of malicious behaviours, including password stealing and keylogging, and makes it difficult for victims to eradicate by injecting code that preserves the malware in the infected system’s memory. As reports show, this strain is currently being transmitted via an infected Word document attached to phishing campaigns – so it is imperative people are on the lookout for this attachment and therefore, as much as possible, avoid downloading the malware in the first place.

Sophisticated phishing emails are designed to look as real as possible, and can, to the untrained eye, appear nearly identical to an email from a trusted sender or real person, particularly if an email account has been compromised or spoofed. On top of this, the malicious Word document used to transmit NanoCore RAT leverages people’s repeat behaviour of clicking to enable Microsoft macros within Office documents. As a first step, users should always think twice before opening attachments from unknown senders – particularly if they have a suspicious-looking or unfamiliar file name (like ’eml_-_PO20180921.doc’). Often, cyber-criminals take a scattergun approach to sending phishing emails, targeting a large audience with the aim of being successful with a proportion of recipients. As a result, even though the email may look and sound realistic, it’s likely the recipient hasn’t heard of or worked with the sender before – which should raise an immediate red flag. Users should always be encouraged to raise these incidents with their internal security team and, on personal devices, can rely on the research of organisations like Fortinet to steer them in the right direction as well.

Although it’s concerning to see another strain of NanoCore RAT emerge, despite its creator already being sentenced to serve almost three years in federal prison, new technologies are also evolving to help tackle new threat – and organisations should be on the lookout to use these wherever possible. The application of machine learning, deep learning and NLP has made it increasingly possible to mitigate this risk. By analysing various attributes, including the sender’s authenticity, smart technology can now recognise patterns and highlight anomalies – including whether or not the sender of an email can be trusted.”