Nanocore

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Type
Trojan
Origin
USA
First seen
1 January, 2013
Last seen
18 January, 2020
Global rank
4
Week rank
4
Month rank
4
IOCs
3527

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, accessibility and ease-of-use of NanoCore are still contributing to it’s growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General description of NanoCore

NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks is taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For attackers that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice attackers to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of the trojan. We can watch its behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

NanoCore execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

Once the file is opened an embedded macros download an executable file and rename it. The downloaded file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by taking a look at the files created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is in fact NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use and customization, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since it’s malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up appropriate cybersecurity response.

IOCs

IP addresses
23.106.160.1
185.244.30.8
192.169.69.25
194.5.99.51
79.134.225.121
185.19.85.144
79.134.225.120
79.134.225.123
154.16.93.172
91.189.180.211
181.52.109.69
79.134.225.74
185.165.153.218
185.244.30.19
216.38.8.170
216.38.7.247
79.134.225.76
3.19.114.185
139.130.191.33
185.140.53.131
Hashes
ec2981f40d6443c6bbc5addc60315b4caeaeadbba2217d97f2efff4ba27b6501
117c1f72903f58a7e52d98049c9d4395cfae5be6c3e32d42ca6f837518415e0b
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
580c629e7b2dbf2562fad9fc32d147e06fa4156b67685afaa9a6a46e728b37da
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
f389ede474cdf96c48cbf3a55b2ef1dd5c9f0dffb2c3f249aae27f09e7075fbc
1b3ba1e34a39f953b0267a7c39371b8b8744e31f526290b0519d5b40b0261547
269d7da14b4b6086267fdbc57e2c5d7d2b84217d903304130ffdabb2859c3fc4
fba00042c4661189146713c0097d9e010c2d890018bcff6be7f855670022d541
2543e59e37b2155430af11715223c6af9b1fc45b67389c0a4e1cef18de64d962
ad8655da244a8229ca93cfb853d8969fcd5ba58817ba1142662a5fb282cde574
075b3bc9b0599cb37c60d30bf0dcac40a2e2404c0914d4762ec2ac5f2aafc34c
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
09b577998d2a49515b30d5e48a88d44f382202f7067497da11cf8c94685c5cc7
c7b34059ac2754fab51c156cbe9ffb9a7654a07cbf7ee283a52b3dc6952d7f47
32b60d7bba22cc1682f4ba651d86c9fb357bdc82e9a284ab9668e5446bd24bb3
aae3743cfb253c4792519e05f60f57351970b18c678957e27b29af6f8375f0b7
9163b613eddf6b3dbe9426bc13e071169a3f8f08de70f53c97e07f6e1788d3e4
Domains
tugatuga.duckdns.org
kada.duckdns.org
departdec.duckdns.org
sherimix.duckdns.org
qxq.ddns.net
thuocnam.tk
majul.com
m-onetrading-jp.com
krupskaya.com
isns.net
rubenbakerr.ddns.net
vemvemserver.duckdns.org
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org
gemalto.duckdns.org
bproduction.duckdns.org
jfcolombia001.duckdns.org
office365update.duckdns.org
kosovo.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More