Nanocore

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Type
Trojan
Origin
USA
First seen
1 January, 2013
Last seen
19 February, 2020
Global rank
4
Week rank
5
Month rank
4
IOCs
3705

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, accessibility and ease-of-use of NanoCore are still contributing to it’s growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General description of NanoCore

NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks is taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For attackers that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice attackers to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of the trojan. We can watch its behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

NanoCore execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

Once the file is opened an embedded macros download an executable file and rename it. The downloaded file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by taking a look at the files created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is in fact NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use and customization, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since it’s malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up appropriate cybersecurity response.

IOCs

IP addresses
188.209.52.49
79.134.225.108
181.141.0.182
91.189.180.197
185.244.30.19
79.134.225.103
185.165.153.203
79.134.225.77
168.235.111.253
79.134.225.74
185.244.30.36
79.134.225.91
216.38.7.253
18.223.41.243
185.244.30.102
18.188.14.65
192.169.69.25
185.140.53.132
185.19.85.180
79.134.225.69
Hashes
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
c6999b9f79932c3b4f1c461a69d9dc8dc301d6a155abc33efe1b6e9e4a038391
297b4e8b2ca8218b31be5e8bb51a278b6676ba665848132bd2c586c63d2ea1aa
7d4652e67d9adeb11a0a13deebd16a0d3dc458a0d655e0f85b51624ebc45ba9c
32e1570e2845bbdc86c8b2e182eed8b8bcc7f635e05f31b12f5dd25aa9c0d99a
7a0010dd02b859809eb0a747e4c458c0ccf4e7443e051f3346928d927c68859a
8a9967e0c46e2470eb92078d19b8bcc0d4787ab4972f8f5f61c076e0ecc67290
ca1456a06544011fd45b9f9c75548df9890c72635ea304fdc869a32adc0a2fbc
3c3bbb62ad6306a57278ca72b99147051af11283ac965aa8350cdc4fe057ed8f
3ed264c81ca6d1053e41402a35d8382587892e775bdbe908abebc0ddf8658a0f
71317da0d2961819ac04ec9b5996521822ed7150776d3165f8c3a2ed3e5dd896
176c03f3efaf8fdc3d27064074c39752efb28966197a6910ffda3d291f89a821
4d8e056895a981b2aa8b3078363e0abed89696f4c3b2d924f1f9d86c4ac0186b
ed4708f2b6d7ca266ebf19df04db177f8bc1077708cf54b2a049da74855893f9
6fc535a9259917cc6f5c9779518516890f8a8c475e09d497de635f7ace6bc207
6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
d64454db31889d42d265072ab5edd87ae6ceeede5dcbff368a8a99cf052422d7
42e3b55ab140be82dee49323347ca469326a8fb1ff57cf257fc0432c42f09983
732703e419590cbaaf8192dc426443b365b7323feae4261aea980cbb9a2187d2
4793d64eafd65ee3ce4072f07e0c3d87ea5ec65de8c71fede3186a3fc84a5145
Domains
anekemoney1.duckdns.org
nexaustin.ddns.net
elx01.knas.systems
ververdenuevo.duckdns.org
coodyz.site
isns.net
barclaysb.ddns.net
100myman.duckdns.org
majul.com
milky123.casacam.net
chommyflozy.duckdns.org
boss5.hopto.org
mmmachine.duckdns.org
jsuf.duckdns.org
pacotdc20.duckdns.org
fucktoto.duckdns.org
pacotdc2019.duckdns.org
mrmerlin90.ddns.net
benpat.ddns.net
doublegrace.ddns.net

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More
Dridex screenshot
Dridex
dridex trojan banker
Dridex is a very evasive and technically complex banking Trojan. Despite being based on a relatively old malware code, it was substantially updated over the years and became capable of using very effective infiltration techniques that make this malware especially dangerous.
Read More