{"id":6435,"date":"2021-06-28T14:29:28","date_gmt":"2021-06-28T21:29:28","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=6435"},"modified":"2024-04-26T13:20:36","modified_gmt":"2024-04-26T20:20:36","slug":"malspam-campaign-spoofing-waybill-delivers-nanocore-rat","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/","title":{"rendered":"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT"},"content":{"rendered":"<h3><strong>Author: Yadu Nadh<\/strong><\/h3>\n<h3><strong>TLP: WHITE<\/strong><\/h3>\n<h3>Overview<\/h3>\n<p>On June 21, Infoblox observed a malicious email campaign whose emails deliver NanoCore, a sophisticated remote access trojan (RAT). This malware was first discovered in 2013, when it was being sold in underground forums.<sup>1<\/sup><\/p>\n<p>Threat actor(s) mainly spread NanoCore via malspam campaigns, by using phishing emails that contain a variety of attachments, such as IMG, ISO, ZIP, and Microsoft Office files.<sup>2<\/sup> Once executed, the malware allows the threat actor(s) to remotely access the victim\u2019s machine, steal user information, and then send it to the command and control (C&amp;C) servers operated by the actor.<\/p>\n<p>NanoCore has been observed in attacks on high-value targets in Asia, Europe, and the Middle East.<\/p>\n<h3>Customer Impact<\/h3>\n<p>NanoCore\u2019s features can be expanded via a plugin that enables a backdoor on the victim\u2019s machine. Nanocore\u2019s capabilities include:<sup>3<\/sup><\/p>\n<ul>\n<li>Remote surveillance via Remote Desktop<\/li>\n<li>Access to the webcam<\/li>\n<li>Access to audio feeds<\/li>\n<li>Connection to the reverse proxy server<\/li>\n<li>Transfer and execution of files<\/li>\n<li>Mining for cryptocurrency<\/li>\n<li>Backdoor commands<\/li>\n<li>Information theft.<\/li>\n<\/ul>\n<h3>Campaign Analysis<\/h3>\n<p>The campaign we observed uses a shipment theme to lure a target with a weaponized Microsoft Excel attachment. The email has the following subject, and no body:<\/p>\n<p><em>RE: FINAL HAWB\/ DN NEW CHINA\/HONG KONG SHIPMENT 21JUNE\/ ETD 27 JUNE 1600kgs 2106015<\/em><\/p>\n<p>Similar emails have been used in other campaigns that involve NanoCore. They have been distributed with a variety of phishing themes and have carried different attachments.<\/p>\n<h3>Attack Chain<\/h3>\n<p>Opening the malicious Excel attachment <em>CI_PL_BL_AWB 988-33669786.xlsx triggers EQNEDT32.EXE<\/em>, which exploits CVE-2017-11882, a vulnerability in Microsoft Equation Editor. It runs an embedded shellcode that downloads and executes a .NET binary from a remote server.<\/p>\n<p>After the binary is executed, NanoCore proceeds to gain persistence by creating a Windows schedule task. Subsequently, the malware tries to establish a C&amp;C (command and control) communication to a remote server<\/p>\n<h3>Vulnerabilities &amp; Mitigation<\/h3>\n<p>Malspam email campaigns are a common distribution method for malware. Infoblox recommends the following precautions for reducing the possibility of an infection:<\/p>\n<ul>\n<li>Always be suspicious of unexpected emails that contain documents and links, especially emails regarding financial or delivery correspondences.<\/li>\n<li>Avoid opening emails with generic subject lines<\/li>\n<li>Do not enable macros in Microsoft Office attachments, especially if the file\u2019s only apparent contents are directions for enabling macros.<\/li>\n<li>Never configure Microsoft Office to enable macros by default. Many malware families use macros as an infection vector.<\/li>\n<li>Before opening an attachment that seems to have come from a legitimate source, check (via phone or in person) with the sender the email appears to have come from.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-6528 size-full\" src=\"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/threat-intelligence-126.png\" alt=\"\" width=\"535\" height=\"623\" \/><\/p>\n<h3><strong>Endnotes<\/strong><\/h3>\n<ol>\n<li><a href=\"https:\/\/blog.morphisec.com\/nanocore-under-the-microscope\">https:\/\/blog.morphisec.com\/nanocore-under-the-microscope<\/a><\/li>\n<li><a href=\"https:\/\/success.trendmicro.com\/solution\/1122912-nanocore-malware-information\">https:\/\/success.trendmicro.com\/solution\/1122912-nanocore-malware-information<\/a><\/li>\n<li><a href=\"https:\/\/spanning.com\/blog\/nanocore-rat-malware-of-the-month\/\">https:\/\/spanning.com\/blog\/nanocore-rat-malware-of-the-month\/<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Yadu Nadh TLP: WHITE Overview On June 21, Infoblox observed a malicious email campaign whose emails deliver NanoCore, a sophisticated remote access trojan (RAT). This malware was first discovered in 2013, when it was being sold in underground forums.1 Threat actor(s) mainly spread NanoCore via malspam campaigns, by using phishing emails that contain a [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":6733,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[553],"tags":[294,518,441],"class_list":{"0":"post-6435","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-cyber-campaign-briefs","8":"tag-malspam","9":"tag-nanocore","10":"tag-rat","11":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Malspam Campaign Spoofing Waybill Delivers NanoCore RAT<\/title>\n<meta name=\"description\" content=\"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT. On 21 June, Infoblox observed a malicious email campaign whose emails deliver NanoCore, a sophisticated remote access trojan (RAT). This malware was first discovered in 2013, when it was being sold in underground forums.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT\" \/>\n<meta property=\"og:description\" content=\"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT. On 21 June, Infoblox observed a malicious email campaign whose emails deliver NanoCore, a sophisticated remote access trojan (RAT). This malware was first discovered in 2013, when it was being sold in underground forums.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2021-06-28T21:29:28+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:20:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"344\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT\",\"datePublished\":\"2021-06-28T21:29:28+00:00\",\"dateModified\":\"2024-04-26T20:20:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/\"},\"wordCount\":459,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-37.jpg\",\"keywords\":[\"Malspam\",\"NanoCore\",\"RAT\"],\"articleSection\":[\"Cyber Campaign Briefs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/\",\"name\":\"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-37.jpg\",\"datePublished\":\"2021-06-28T21:29:28+00:00\",\"dateModified\":\"2024-04-26T20:20:36+00:00\",\"description\":\"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT. On 21 June, Infoblox observed a malicious email campaign whose emails deliver NanoCore, a sophisticated remote access trojan (RAT). This malware was first discovered in 2013, when it was being sold in underground forums.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-37.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/ciu-image-37.jpg\",\"width\":612,\"height\":344,\"caption\":\"computer screen with programming code and an alert message, concept of computer security, malware or hacker attack (3d render)\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Cyber Campaign Briefs\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/cyber-campaign-briefs\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT","description":"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT. On 21 June, Infoblox observed a malicious email campaign whose emails deliver NanoCore, a sophisticated remote access trojan (RAT). This malware was first discovered in 2013, when it was being sold in underground forums.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/","og_locale":"en_US","og_type":"article","og_title":"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT","og_description":"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT. On 21 June, Infoblox observed a malicious email campaign whose emails deliver NanoCore, a sophisticated remote access trojan (RAT). This malware was first discovered in 2013, when it was being sold in underground forums.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/","og_site_name":"Infoblox Blog","article_published_time":"2021-06-28T21:29:28+00:00","article_modified_time":"2024-04-26T20:20:36+00:00","og_image":[{"width":612,"height":344,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT","datePublished":"2021-06-28T21:29:28+00:00","dateModified":"2024-04-26T20:20:36+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/"},"wordCount":459,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","keywords":["Malspam","NanoCore","RAT"],"articleSection":["Cyber Campaign Briefs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/","name":"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","datePublished":"2021-06-28T21:29:28+00:00","dateModified":"2024-04-26T20:20:36+00:00","description":"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT. On 21 June, Infoblox observed a malicious email campaign whose emails deliver NanoCore, a sophisticated remote access trojan (RAT). This malware was first discovered in 2013, when it was being sold in underground forums.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/ciu-image-37.jpg","width":612,"height":344,"caption":"computer screen with programming code and an alert message, concept of computer security, malware or hacker attack (3d render)"},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-campaign-briefs\/malspam-campaign-spoofing-waybill-delivers-nanocore-rat\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"Cyber Campaign Briefs","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/cyber-campaign-briefs\/"},{"@type":"ListItem","position":4,"name":"Malspam Campaign Spoofing Waybill Delivers NanoCore RAT"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6435","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=6435"}],"version-history":[{"count":3,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6435\/revisions"}],"predecessor-version":[{"id":6533,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/6435\/revisions\/6533"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/6733"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=6435"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=6435"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=6435"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}