Nanocore

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Type
Trojan
Origin
USA
First seen
1 January, 2013
Last seen
2 August, 2021
Global rank
4
Week rank
5
Month rank
5
IOCs
13671

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins that allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of the NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive for the company's cybersecurity.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, the accessibility and ease of use of NanoCore are still contributing to its growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General description of NanoCore RAT

NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks are taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For crooks that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice criminals to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to perform the analysis of the lifecycle of the trojan. We can watch its behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

The emails sometimes contain malicious attachments with .img or .iso extension. The large size of these files makes it difficult to scan them. Some versions of malware are also spread by a ZIP file which evades secure email gateways. Several file structure works here: one file will download the payload while the rest are decoys that ensure the malicious content goes unnoticed by the system's security.

PowerPoint files acquire the same scenario as the infection chain takes place over multiple stages before the final payload is executed.

NanoCore RAT execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

According to the RAT analysis, once the file is opened an embedded macros download an executable file and rename it. The downloaded file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore malware using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by a quick analysis of the files created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at the "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is, in fact, NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use, and customization, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since its malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up an appropriate cybersecurity response.

IOCs

IP addresses
3.134.39.220
192.254.74.210
192.169.69.26
3.131.147.49
3.22.15.135
79.134.225.76
3.138.180.119
79.134.225.77
52.14.18.129
3.141.142.211
84.38.133.182
185.140.53.253
3.138.45.170
3.141.177.1
3.22.53.161
193.161.193.99
92.205.18.228
188.119.112.240
188.119.112.240
185.19.85.150
Hashes
bcb16099826de219940263a102342e812d410e4a84ccd96a4ed475670831c6f7
5c86ae34773784a860b7f2e7641b30cb3136530e5e7860fd95202d3a6ca58249
4844184ba2791f5c86393969dcdda3f50c213bcfa3398f4a9cdacdf1470c670e
a33a3999884156e6bf05fc705b332a3b3c1c60b93e28cd542ba76b22d8a953b7
3511a32415e449888bb2bff8e38e099c20949f31015e3531f0b35149d4a2328f
899cc69889e61326113b504003640ea3675831b8929e90e1e8dbc45994374eb9
4f60cb07643defd94b7a925b68bfdff5747a4a5e71ade3da65c27d5c83231448
8039fd5d23054776a2413cb752f4a03260c54cdc678cd3b050f9c065f4a24d9d
9e2bb1530f6ec1ea6b3dbb8dfabd5e358adcd913cda7170f82d590afdf4ebc29
87cda4ba21937b57246458232a336d63d092a4ee5f2122d934181eb3c7198e57
e6f26fc0da71002f8fd0e4a8b6dee2db9980859ae14eda531f860e3a806c678f
f3111928c87427702ac907ae55df604b75675139c58a31d9b910938ddce5d574
61e610862e4327458f74ede6375695be1467539a557ff828d57f4ffcc0b90c3a
6c0a01e36838a7f7e6ba1f6be30c0ff9114e556b36f36bc5f1bcb64eef3a485f
bc16c48ef4435300121e3e14fd1b06c27447935e7fb14166f1cd7d16e0fc1fa3
7ea1684397ded68f47de0c565841a9fb723e1b60193d6392f9f01f19e3914921
019bcf1925676851c96733d3e172e26a98b69d00cd7f0d8dc395b462975f12d0
a6625b62c0a9fa6bfcc2e3cbbc45bbeb78d141795d5ed37401ebbc3807df5620
7ffb18ff0503f9cebc0ed7056818ee1ddb517bc159d607f425256ee1956100cf
86c58706bb8e8602ea034ca99b3835a7d82f10714e270c2c3c0972ce567e0293
Domains
isns.net
medicosco.publicvm.com
elumadns.eluma101.com
stellacy.duckdns.org
4.tcp.ngrok.io
typejimbo.ddns.net
majul.com
qualiphar.be
ar.oldversion.com
erunski.duckdns.org
eleks.ddns.net
housecommand.duckdns.org
venezia-pl.myq-see.com
amechi.duckdns.org
poseidon99.duckdns.org
johnsonsig001.duckdns.org
mrjeffy.duckdns.org
mygodissogoodtome.ddns.net
volodymyr.gotdns.ch
blessingfollowme.myddns.me

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More