HACKERS ARE TARGETING GOVERNMENT SERVICES
We all know that NCALayer must be installed in order to sign a request for a government service. The State Technical Service has identified a phishing Internet resource hxxps://ncalayer.info/update.php, which, when opened under the guise of an update for NCALayer, downloads and runs a malicious program like “Trojan Downloader”. After a chain of decryption and downloads, which includes a popular GitHub code repository, the Venom RAT v6.0.1 malware is installed on the computer, a cracked version of which is distributed on hacker darknet forums.
The peculiarity of this malware is that it has keylogger, data stealing, stealthy remote computer control (VNC), and webcam control functionality. As a result, the attacker is able to read information typed on the keyboard, view passwords, including those from browsers, and install third-party applications.
We strongly recommend that you do not download or install such programs or click on suspicious links, as it may threaten your personal information.
The National Computer Emergency Response Service KZ CERT has sent information to the foreign domain name registrar to take necessary measures. In addition, notifications have been sent to government agencies and operational centers of information security through an internal platform for information exchange.
Recall that the official Internet resource for installing NCALayer is https://ncl.pki.gov.kz/kz/.
Additional information for technicians in pre-detection and detection:
Checksums:
90FC32AFFDFE1F78C15B7D0D0D5C2EB0
DEC8D147133403AEAF4D6A3F568B96CE
11778B58E4DE1518F0B10129AB1D8D0D
BEE0C15CAED5C45356C7FD55290A2DBF
FFF67136941D5D16011E78DB9E2626F43ADFE3BC
1B9B17CEB20BB120C0113D90DC6E3751E50C98DC
DBB287CCAFA466DB2D049D3A11B791DD8D1694D7
5FDF1F9DE16AD67C3A40A0B57AAD8015978D4E60
63AD98FC47990E1B827A6C1B541D7A76F65722537EDAEF90FFDE5262F30383E2
FA086D24C7D52D75A4E6725517EE3A387A9D9CD5B0275FA010E1DFD81039DC46
4876B9C55E9B29F2C4CEEAA1FB498DEA8D4E4CD40356C92D23A4B15D9B70C51D
5917FD78B3281464E5231CFDDFA62A26DE5DCD8146EEDB7B58D40BBDB4424138
The file names:
Обновление-NCALayer.bat
%APPDATA%\NETFramework48\install.exe
%APPDATA%\OSDService\Init.exe
%APPDATA%\NETFramework48.zip
%APPDATA%\csrsv64.zip
%APPDATA%\OSDService.zip
Register:
parameters “ConsentPromptBehaviorAdmin” ключа HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
parameters “WinRAR32” ключа HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
parameters “Init” ключа HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Task:
Init
Network:
95.214.27[.]222
95.214.27[.]223
95.214.27[.]220