Nanocore

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Type
Trojan
Origin
USA
First seen
1 January, 2013
Last seen
16 April, 2021
Global rank
4
Week rank
5
Month rank
5
IOCs
11269

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins that allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, the accessibility and ease-of-use of NanoCore are still contributing to it’s growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General description of NanoCore

NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks are taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For attackers that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice attackers to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to take a closer look at the lifecycle of the trojan. We can watch its behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

The emails sometimes contain malicious attachments with .img or .iso extension. The large size of these files makes it difficult to scan them. Some versions of malware are also spread by a ZIP file which evades secure email gateways. Several file structure works here: one file will download the payload while the rest are decoys that ensure the malicious content goes unnoticed.

PowerPoint files acquire the same scenario as the infection chain takes place over multiple stages before the final payload is executed.

NanoCore execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

Once the file is opened an embedded macros download an executable file and rename it. The downloaded file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by taking a look at the files created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at the "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is, in fact, NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use, and customization, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since it’s malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up appropriate cybersecurity response.

IOCs

IP addresses
103.133.105.179
74.201.28.50
3.142.167.54
85.86.181.192
79.134.225.73
194.5.98.28
3.141.142.211
31.220.4.216
195.174.209.145
185.191.231.252
52.14.18.129
3.22.53.161
3.131.207.170
13.59.15.185
13.59.15.185
3.128.107.74
176.41.130.166
79.134.225.17
89.82.152.254
3.13.191.225
Hashes
86059a4b84489fb1b625b1eb2bdabcd88fb4226fb04b769fddfe0fbec40c28b5
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
09cadb1c8266b14fb86715148ba3664ba0b81d239613243ea6832c78a3508b43
b15aef3f0ba9e84f2e9b6b97f20fc3d7f7b5019ec1af1214c0a47ec5add05579
c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
9307ca0fb898698d7bd9691885f4906233821a5ea65fd882c38e4b02e79da6fe
367bc7ffc25f04348112998f82ba571262bc0ad22bf820f472c8af1d5093fae5
de59769e377411044f906420e844f86869a25df25d24b4c02329ccc4f3ca71c6
a1c035649d1cb6c7ee6a3db03fe9fce80f720e302cdaba7e05b5bb118d329419
872c28c64fee737281eafcab48dcfe643387a281048f1ad5b98e9579aa80daed
d71c0ca341da6bc2c2078b5a8af0afc6e5828d3ca0aec5e0e76ab9fb2bcd2f15
97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a
4667ca924aa5cbfd0a793da30825f5cb7ea98b2ddf83377c7b6ed91d73c3420c
ea0ea4729478c90a6142ce14f977c069b6603d405672382a59f9b1eba1777f85
909ea6bd515439abb13ff254c49c71bae5edab2c04f9057a82a29d01b9e1392f
c200145342cf8f892f422ab46b5c4575272169969d5ada3b0df75de298882ca8
92788473603a85444683ed97e762c2609a38443c0d5980f6e361c9d95c084644
edb71529944c31cc8f3d64018079a6f1437b1e5e3226e8a1b8771ea7b140fbf0
6010175e5a42ee8888475c1e89fb941f55340bea7fd6434c8a284d7c38989064
51985a57e085d8b17042f0cdc1f905380b792854733eb3275fd8fce4e3bb886b
Domains
buffercc.duckdns.org
cldgr.duckdns.org
8.tcp.ngrok.io
6.tcp.ngrok.io
anunankis1.duckdns.org
poseidon99.ddns.net
subsnet.duckdns.org
ongod4life.ddns.net
lachattemouilleee3875383444.duckdns.org
icecubee.ddns.net
babbyhouse90.duckdns.org
erunski22.ddns.net
u856112.nvpn.so
judge777.ddns.net
newlogs.ddns.net
viccavi.duckdns.org
dhanaolaipallets.com
bestubuy.ddns.net
passwrdboss.duckdns.org
dealbaba.ddns.net

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More