Nanocore

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Type
Trojan
Origin
USA
First seen
1 January, 2013
Last seen
31 March, 2020
Global rank
4
Week rank
4
Month rank
4
IOCs
4086

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins that allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, accessibility and ease-of-use of NanoCore are still contributing to it’s growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General description of NanoCore

NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks are taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For attackers that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice attackers to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of the trojan. We can watch its behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

NanoCore execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

Once the file is opened an embedded macros download an executable file and rename it. The downloaded file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by taking a look at the files created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is, in fact, NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use and customization, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since it’s malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up appropriate cybersecurity response.

IOCs

IP addresses
192.169.69.25
185.244.30.206
79.134.225.35
95.213.195.71
185.19.85.180
3.137.63.131
172.111.188.199
3.125.102.39
3.125.102.39
185.244.30.251
3.19.3.150
3.125.209.94
185.244.30.86
3.134.196.116
3.13.191.225
18.188.14.65
154.16.93.169
3.17.202.129
3.20.98.123
185.140.53.250
Hashes
bd21ef2fd03f08e64b61b4048bdcfdcbd7c61c869f32c5ea114d75afcbd94cc9
286227287f1fa79d5d5d909c2f457fc4d0aefa6be9e940f9a1f214d113ff88b4
463382c4855a92deda6ea87d6fbd3b8dac0c5bd8e61218cec5ab76df4433384d
29be7f749dfa7ff736040540ebdc537e3a02b075f0095b5de7c67b56fb15db32
f41a85d01d6efdf1692504b4c28ad89cf31fffe5df273b24dbc5947fa34788f6
deb9a3b6f24e3260c4351620e2bf8897733104c88438a28e883875e833287f57
eadb2b7faf571d44f64d1df5dfa54125c10d4871e44a7ae108d323172cc7bdd9
aa49d5b57982bda8929d245a81e389df2602acc50b37a2dd75f2f5a334c7a191
514c14c5b30c81fe974454d6dc42db20f31f26f3290b5a4e58a3da53e62b1e0b
fdec89e552e428c5f2662ae2865cab4167574cc178288fd2ea90345abffe94a1
561cb62542d3488b26178dd49114c9f202d893c40f4b619f1507ac60379ee009
c08dfc685d6ff7fd4d2bc3968b5b17ce0de752ca6f964b10d1e9a309bc9b7405
bb260598c7a60d106faf2e3f9ff5624115948de1938873ccd9a5216e4116bfdf
96724b983b21eb27719c75c27a6bdbcbb2858dc1c29ea6139ce7e3103bd17a84
7c0798606c44976b13aa0c9f75f0435e74dbeabb95e8f7f52c0686e995b92ff4
8ef8f61289a4966530d331fb4d67abbda7a4d7ebddc7112b9af31a335e188aa1
f0cd6708beff7c5789c76b537e4e85afbb083688f20f91a04c0fa2d1c5be7cf4
62c6b78da2b5da0b5ea9dc2424634ca7ece3de964f4edd9c617ab62344d13c65
7231955b58f7a6b19ea2719be8762b7922f1732b9f3fa1d1ddcaedb71d2b8fce
44caec80401fd8cc76ca1a346c6a54c8e947646cb8816796cd0aa34306a9f410
Domains
roboticsnetwork.duckdns.org
kissmeifucan.ddns.net
britianica.uk.com
majul.com
xeliteme.us
tats2lou.ddns.net
elx01.knas.systems
coodyz.site
strongods.ddns.net
global-liquidity-collector.eu.ngrok.io
0.tcp.eu.ngrok.io
meeti.duckdns.org
systemserverrootmapforfiletrn.duckdns.org
santoxpri.duckdns.org
investmenteducationkungykmtsdy8agender.duckdns.org
ikorodu.duckdns.org
d3c00.duckdns.org
kungglobalinvestmenteductgpmstdy8addres.duckdns.org
qq12.duckdns.org
bossmandj.duckdns.org

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More