JSC State Technical Service

We all know that NCALayer must be installed in order to sign a request for a government service. The State Technical Service has identified a phishing Internet resource hxxps://ncalayer.info/update.php, which, when opened under the guise of an update for NCALayer, downloads and runs a malicious program like “Trojan Downloader”. After a chain of decryption and downloads, which includes a popular GitHub code repository, the Venom RAT v6.0.1 malware is installed on the computer, a cracked version of which is distributed on hacker darknet forums.

The peculiarity of this malware is that it has keylogger, data stealing, stealthy remote computer control (VNC), and webcam control functionality. As a result, the attacker is able to read information typed on the keyboard, view passwords, including those from browsers, and install third-party applications.

We strongly recommend that you do not download or install such programs or click on suspicious links, as it may threaten your personal information.

The National Computer Emergency Response Service KZ CERT has sent information to the foreign domain name registrar to take necessary measures. In addition, notifications have been sent to government agencies and operational centers of information security through an internal platform for information exchange.

Recall that the official Internet resource for installing NCALayer is https://ncl.pki.gov.kz/kz/.

Additional information for technicians in pre-detection and detection:

Checksums:

90FC32AFFDFE1F78C15B7D0D0D5C2EB0

DEC8D147133403AEAF4D6A3F568B96CE

11778B58E4DE1518F0B10129AB1D8D0D

BEE0C15CAED5C45356C7FD55290A2DBF

FFF67136941D5D16011E78DB9E2626F43ADFE3BC

1B9B17CEB20BB120C0113D90DC6E3751E50C98DC

DBB287CCAFA466DB2D049D3A11B791DD8D1694D7

5FDF1F9DE16AD67C3A40A0B57AAD8015978D4E60

63AD98FC47990E1B827A6C1B541D7A76F65722537EDAEF90FFDE5262F30383E2

FA086D24C7D52D75A4E6725517EE3A387A9D9CD5B0275FA010E1DFD81039DC46

4876B9C55E9B29F2C4CEEAA1FB498DEA8D4E4CD40356C92D23A4B15D9B70C51D

5917FD78B3281464E5231CFDDFA62A26DE5DCD8146EEDB7B58D40BBDB4424138

The file names:

Обновление-NCALayer.bat

%APPDATA%\NETFramework48\install.exe

%APPDATA%\OSDService\Init.exe

%APPDATA%\NETFramework48.zip

%APPDATA%\csrsv64.zip

%APPDATA%\OSDService.zip

Register:

parameters “ConsentPromptBehaviorAdmin” ключа HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

parameters “WinRAR32” ключа HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

parameters “Init” ключа HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

Task:

Init

Network:

95.214.27[.]222

95.214.27[.]223

95.214.27[.]220