Nanocore

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Type
Trojan
Origin
USA
First seen
1 January, 2013
Last seen
26 January, 2023
Global rank
7
Week rank
13
Month rank
11
IOCs
19715

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins that allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of the NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive for the company's cybersecurity.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, the accessibility, ease of use, and a bunch of information on NanoCore are still contributing to its growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General Information about NanoCore RAT

According to the analysis, NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks are taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For crooks that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice criminals to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to perform the analysis of the lifecycle of the trojan or other malware such as WSHRAT or Vidar. We can watch NanoCore behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

The emails sometimes contain malicious attachments with .img or .iso extension. The large size of these files makes it difficult to scan them. Some versions of malware are also spread by a ZIP file which evades secure email gateways. Several file structure works here: one file script will download the payload while the rest are decoys that ensure the malicious content goes unnoticed by the system's security.

PowerPoint files acquire the same scenario as the infection chain takes place over multiple stages before the final payload is executed.

NanoCore RAT execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

According to the RAT analysis, once the script file is opened an embedded macros download an executable script file and rename it. The downloaded executable file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore malware using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by a quick analysis of the files and scripts created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at the "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is, in fact, NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use, customization, and plenty of information, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since its malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up an appropriate cybersecurity response.

IOCs

IP addresses
79.134.225.46
37.120.217.243
37.120.141.153
94.237.28.110
109.206.241.128
194.5.98.48
163.123.143.143
194.5.97.4
2.56.59.113
79.134.225.94
91.192.100.56
185.140.53.252
194.5.98.249
185.140.53.160
194.147.140.4
89.80.22.57
87.66.106.20
178.164.119.42
204.48.16.32
79.134.225.25
Hashes
de618fb2a376e986af7a45aa15f4e9bf5a99a0cedd696e99c15210b2e29a673d
d38f12d945b3d21b3179bed6726cef23f2c4ed35cdb79e08bc93a23533abad45
60131e4ae461f3fb2c0b931ef05d57eb222aab87ea6f79c60ffb494be8fc5b60
98d1d000f8060914942029929c861e79de6961c073ea43cb838ed62ff0360af8
c60ca254cda5e786866913ff68cfe9a24c6b019902639c77e75a8428b0580b1b
c9e24511c4ad318a7856b982a580202f81827100f9bc11c3112deb4409b6e2d9
881b4894d613b9b6b8b3e0c354bad02ae8725c86f474439d4ebe21091ce635c2
4179990c8f9dcadba8045a594c139baf74a54fcf4ac0e4d65fbc556e552bb7d2
c0d16f16db8708eb35634e8c5c24f7cb47044af03d32f11e949c438e14d42cd8
a6e4460f2d7a2131fccdd14dbb2a56ec379ece150689900390e88f2e7bb48be0
ec359f50ca15395f273899c0ff7c0cd87ab5c2e23fdcfc6c72fedc0097161d4b
702a898f99fdcf56d29f5a9d4c54794c09880f7b000488a1f9f4c2259e520bee
48d4e3b9be5c21d003976f13cbb04b3f3660d2458ae7922c114d48434b36da75
6dd20082faf4c07f30a39327695ec299b02431c6c80f7fdb93b7de163cf4581a
720af9ca6613d45336437a8da42397566e5eda3e246e22c6a1f24e43c1e6e9d6
ebc137bed06e61197ef51878183eab1e1f7ae40b52690183281564c79c5aa41f
7b4d76769e110500e056421d445df15616f0dd3d6b083c113d44b29a3594ed4f
65216f76fc9bf92e8f56d3da7124c2f2860bdd92d245e040e1589694bc0295b8
f64ef9de75ba297ed09efed49035c3035b4f5774da87cb74497302341d68054a
ad0503c4cdc684c28e25e49db49e73b5727066438f181050124b5eb9e488a3d4
Domains
vcctggqm3t.dattolocal.net
booking.msg.bluhotels.com
booking.msg.bluhotels.com
mkt.denodo.com
searchkn1.sima-land.ru
2.tcp.eu.ngrok.io
c16d-35-240-187-111.ngrok.io
isns.net
javaautorun.duia.ro
todspm3.duckdns.org
frederikkempe.com
majul.com
4.tcp.eu.ngrok.io
wavezz.ddns.net
icando.ug
WindowsAuthentication324-49629.portmap.host
thuocnam.tk
7.tcp.eu.ngrok.io
krupskaya.com
m-onetrading-jp.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy