Nanocore

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Type
Trojan
Origin
USA
First seen
1 January, 2013
Last seen
19 January, 2021
Global rank
4
Week rank
5
Month rank
5
IOCs
9519

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins that allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, accessibility and ease-of-use of NanoCore are still contributing to it’s growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General description of NanoCore

NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks are taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For attackers that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice attackers to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of the trojan. We can watch its behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

NanoCore execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

Once the file is opened an embedded macros download an executable file and rename it. The downloaded file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by taking a look at the files created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is, in fact, NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use and customization, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since it’s malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up appropriate cybersecurity response.

IOCs

IP addresses
193.161.193.99
151.25.72.43
3.22.53.161
3.138.180.119
79.134.225.23
185.19.85.159
3.128.107.74
3.131.147.49
3.136.65.236
3.133.207.110
23.105.131.146
79.134.225.106
91.193.75.155
79.134.225.18
13.59.15.185
3.22.15.135
143.176.6.227
185.162.88.26
185.140.53.129
185.140.53.131
Hashes
f7b2c7de6efb8a962ecb5c31c684501701b5bb2d942075e505c0a25a8187be1c
3b0f5fc8628d98e9079d672d1cb8fdd5da84f7f4e0343daf397c980d64d8381a
948bb7fc857f910c028d472aba1cdbcc1f8f0f89dc881a5f80b3b5b3785c0c64
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
6adc88fc0a0e108851909618442c03f57cdfc20f6db4ee88b84c0caf420f991f
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
7f7afb406c8f911f21354b2ea60fd688ce8083ed0ab10156c6f3421d927d2fab
495f587a3aeca71e29855fcc575377514df0e2dbe0afb87a0ff5b8c5d3408374
2a48c268cd408b90c1504e125981a4e391a614e6850f553d76e319ea17d1cb62
799087f4f62932dbe6405946e5fc9215c9df899909c15f0c1d876ec28e9436b0
5fc84f25b331a01c87e4f7652a396a83403c0efc27cefeec6cea69b954a01040
224b1d257b5d2ebb67515ce2367e1cc25254601bc594b6008dcb67275dba1212
eb376c7bd79414c37b345f7ccdb9251f7481eb2f6656d3dba46aea1dc68f5648
f48e618415c6f0feea8f535b5dbe56e8c387efa7e1c9e74021108747b1d25b9f
95d09d63247985a1314df18699933e26d68feaf0c40b93e743b6f22c7e0ac5a9
c7faa7bdee0eb145906eb0adca758353c3e4531d93967919494321fc5d09da36
61c9849aa89e7a0fb800393404e3053123da5594c8a3f1851d04e34c7b9bbad3
b8477dc5e934f36b780466a6d4365f0b139d066f88efe122443cec0cdf508cf0
6c803e0086323995a8d626cf06881e2aec7e49bcbefba74e28b8f63da8848298
a5c9bfe117678e7ab8519dd4e04476f3636cf0250787cc5ca566eb22c9ca9e1a
Domains
coodyz.site
harold.jetos.com
susur2334.duckdns.org
2.tcp.ngrok.io
isns.net
4.tcp.ngrok.io
mike101.duckdns.org
shellgang.dynu.net
khuh870huj.ddns.net
mageret894.chickenkiller.com
goodluckfile.ddns.net
majul.com
uccccccheee.ddns.net
ruffella.ddns.net
shekinahwish.ddns.net
wizobi.ddns.net
lechydal.duckdns.org
praize19791.duckdns.org
mimi121.duckdns.org
erg45h45e.ddns.net

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More