Nanocore

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

  • Type
    Trojan
  • Origin
    USA
  • First seen
    1 January, 2013
  • Last seen
    21 November, 2019
Global rank
4
Week rank
3
Month rank
3
IOCs
3177

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its source code has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, accessibility and ease-of-use of NanoCore are still contributing to it’s growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General description of NanoCore

NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks is taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For attackers that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice attackers to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of the trojan. We can watch its behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

NanoCore execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

Once the file is opened an embedded macros download an executable file and rename it. The downloaded file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by taking a look at the files created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is in fact NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use and customization, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since it’s malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up appropriate cybersecurity response.

IOCs

IP addresses
79.134.225.108
192.169.69.25
185.165.153.22
103.200.6.62
217.12.210.196
194.5.97.14
181.52.109.69
79.134.225.93
79.134.225.104
185.140.53.15
79.134.225.81
18.223.41.243
3.19.3.150
79.134.225.114
79.134.225.80
185.244.30.251
79.134.225.87
23.249.165.200
213.208.152.214
89.78.90.166
Hashes
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
f693501543d696510150367fcaa1004d17e5ca3050f848d886bad32bb89d950c
4072fc1a1205c84e86c70cf961689a950814cb80c02f7aef81672391c103bda6
ebbbcdc3a9e3ce4d57cde4c85ec3a1000e47fdd3b54916cdd3e80cf01debf2ae
300259604d97cc744fcc696b2b9bdc7776e667429f45a34d4c955b066ce306b7
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
583db16a857afe66e86be0fa0c154ad5b62e4523d4676999765414c0b168163c
32b60d7bba22cc1682f4ba651d86c9fb357bdc82e9a284ab9668e5446bd24bb3
6adc88fc0a0e108851909618442c03f57cdfc20f6db4ee88b84c0caf420f991f
1a3ecf3bec9a23f4b55933a1c40e320b6172a13a7d393599ba55460586b0b219
dfdd6f7bca04153ccb23cc86a94f60e7d1f6071173d3b86d70017495f78a8297
76a501188657768de01dd046fc156c15969c87d170ddb3d9f14eee3569d1e729
d14c00031d2392fc67d9ba6397d85e6d2428f5c28051a370da23a83d7b5431bd
85ba99319f22cde0abd25e839a7a230a730f1d52e546754873e479be88e65da1
54740069669aad2d385fbda103c39582d727ae3eb48d864305eb990c34d9490d
2969e67ac028b96f7c2d25af266ea38c8453a13d4b4f4e01116750f25e70ba7c
22723c0bafcf5c8127c871f3cce980d34b7c6ccae9720c89e59599507d9e7965
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
30d3e03f25ae1c6ae13f417493976648b32c67545e5370dbb55320974a709fb2
3c554a1202d90b04753eb6413d055465fd6bdd64de7e28699f4d23baaa00fa27
Domains
majul.com
xserver.mr-alex.be
mstanley.ufcfan.org
ubananocore.ddns.net
mcmp.duckdns.org
systempc1.ddns.net
octoberstan.duckdns.org
fucktoto.duckdns.org
backupnano.onthewifi.com
mardinmagicc.ddns.net
euroboss.duckdns.org
thuocnam.tk
m-onetrading-jp.com
krupskaya.com
isns.net
elx01.knas.systems
cjay55.duckdns.org
duckdns4.duckdns.org
salesxpert.duckdns.org
ipvhosted.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a remote access trojan available as MaaS ( Malware-As-A-Service ). Adwind can collect user and system data, control the webcam of the infected machine, capture screenshots, install and run other malicious programs, log keystrokes, steal web browser passwords and more.
Read More
AgentTesla screenshot
AgentTesla
agenttesla trojan rat stealer
Agent Tesla is a password stealer spyware that has been around since 2014. The malware can be used by attackers to spy on victims, allowing them to see everything that has been typed in supported programs and web-browsers.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult is an information stealer malware that is targeted at stealing credentials and accounts. Updated multiple times over the years, AZORult continues to be an active concern for the users, stealing information such as banking passwords, credit card details, browser histories, and even cryptocurrency.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is a banking trojan that was spotted in the wild in 2018. Danabot differs from competing Trojans thanks to its robust delivery system and modular design. Since its first appearance, Danabot has obtained high popularity among cybercriminals and became an active threat in multiple regions of the world.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is one of the most technologically advanced banking trojans currently active. The primary target of this malware is stealing banking credentials from its victims. Dridex has been around since 2014 and has benefited from very consistent updates that helped the malware evolve and become more and more capable.
Read More
Emotet screenshot
Emotet
emotet trojan loader banker
Emotet is an extremely sophisticated and destructive banking Trojan used to download and install other malware. First recorded in 2014, Emotet has gained advanced capabilities over the course of its lifetime. Today Emotet is targeting governments, corporations, small businesses and individuals, focusing on Europe, America, and Canada.
Read More