Nanocore

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Type
Trojan
Origin
USA
First seen
1 January, 2013
Last seen
30 September, 2020
Global rank
4
Week rank
5
Month rank
5
IOCs
7984

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins that allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, accessibility and ease-of-use of NanoCore are still contributing to it’s growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General description of NanoCore

NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks are taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For attackers that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice attackers to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of the trojan. We can watch its behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

NanoCore execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

Once the file is opened an embedded macros download an executable file and rename it. The downloaded file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by taking a look at the files created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is, in fact, NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use and customization, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since it’s malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up appropriate cybersecurity response.

IOCs

IP addresses
79.134.225.70
3.131.123.134
3.131.147.49
192.169.69.25
193.161.193.99
3.13.191.225
3.130.209.29
178.234.148.242
216.38.7.249
79.134.225.45
79.134.225.76
79.134.225.11
79.134.225.73
192.222.176.180
3.127.138.57
185.19.85.147
185.140.53.132
185.165.153.202
194.5.97.82
79.134.225.35
Hashes
8cb2a3a7006c907ef7d94a64a6c2e277177d4d0e030ed97289c372d8d0fc6d2c
9938401fcf8c52c98c398e1e26bf18a1d43176fdf35d3158592ef716f19e9a87
b13a09365b9ecb7185ddb44cb6a45deb40537609c4b3379f7da13fc583925b45
1aa9ea18c1c4a2396bcb82fd69b7a4a4923dd94a450a2c386df5af5387cb96ad
705e8de71ac0ed857443cdb8e0642a6b36c587166f8521fa61ab050d976629aa
1c2ade145fc1bdc2e6217fdb3f3449fc43813a1376e2c92d97cca455ecbca97f
042d136cf6ea7d0b6a65ae688da4b367a5474bbaaee14003ca90b4fbd8b674c9
2258a123712973f8756cbd823a70607ca9d4e42a0b3f50137384b3ea3efd5dbe
0810881b5ff16b8b92d78dee769a8b24092aedb99b734049bdce9e7436db6b84
cd3b77c8d5ca5b62344a7527614f78efd419ddfa72b3257a762d6da38266f90b
97cc42701ab4be625be6536c12f4dda8a057f133f2f4783c3312cdb78292cd03
5c6cd580f27f8307e602dba1abfbd803f90f0175e29019e96fee2c413ef12da9
6c58b7585a6d78b6ed580c287f8873dcd58de2e62dece85451715df4409042c9
0476ca35e4679980e14302278e421cb436cb750a23c3bae44d755ac61ea0ea44
7dddf5c8a55896e7c6c7891b5efb60c69cb51897491b834910c03968989f2836
b45a6724b6aca82aa7ef9291aa01e6a9672bbb791d4d02bb3aa320e07f8dff59
827b204bb07301383e9b03076ce318839dc0db995059cf11c52f4a6d638e2490
b5b15d87cd7a202084e3073d67f552cb8ff7cb7a722dfd7448dabea67ca322e7
110aebae5ac7357baa9f36e51c4eb2724a88c5dfed5484f9976cefdad941a5f1
ca249833f1d79f5cdf192dfc37167188fd57ce61246c63001a946718747d5fc0
Domains
srv1.cn-uinquetex.com
deaphnote.ddns.net
britianica.uk.com
2.tcp.ngrok.io
majul.com
elx01.knas.systems
duckdns6.duckdns.org
zerofiletransferfromhosttopcfromtheinter.duckdns.org
systemverysecurefiletransferwithcloud.duckdns.org
www.yhdsd.duckdns.org
diegomendoza.duckdns.org
kinholima.duckdns.org
pri0912.duckdns.org
peroteclave.duckdns.org
bitcoingglobalbusinessindustrypricegoodf.duckdns.org
workfineanotherrainstdybowlomoyent32mrw.duckdns.org
wwwmicrosoftwindowsfirewallsecuritydotco.duckdns.org
iphanyi.duckdns.org
larodrigues91.duckdns.org
sytemforinternationalfiletransferprotoco.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More