Botnet C&C

Nitol

Brief

Nitol bots are primarily used in the distribution of additional malware and in launching DDoS attacks.

Symptoms

Some possible symptoms include, but are not limited to:

  • Creation of an EXE or DLL file named with random characters located in the Program Files, System Folder or the Windows root directory
  • Creation of a service
  • Creation or modification of Windows registry entries to maintain persistence
  • Significant increase in outbound traffic which may indicate participation in a DDoS attack

Analysis

Nitol will create a backdoor to allow additional access or installation of files. It will attempt to connect to a C&C server every second or so to retrieve commands.

Nitol also collects the following information and sends it to its master:

  • IP-based location information
  • System telemetry
  • System specifications (such as CPU, RAM and version of Windows running)

Nitol is mostly prevalent in China, but has been seen in other locations.

Instructions

It is not recommended that any attempts to remove this malware be performed manually. Fortinet recommends that you remove this threat by running a complete scan of your system using FortiClient Endpoint Protection.