BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
7
Global rank
26 infographic chevron month
Month rank
21 infographic chevron week
Week rank
541
IOCs

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins which allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

Trojan
Type
USA
Origin
1 January, 2013
First seen
12 July, 2024
Last seen

How to analyze Nanocore with ANY.RUN

Type
USA
Origin
1 January, 2013
First seen
12 July, 2024
Last seen

IOCs

Hashes
024933a4991491fc46509f527612ab4a3dbaf366219f9d25be828d940b7dbecf
8c93508c62ff45ab0796ba1091b9088eff5b144e10fbdd638a205adfc118768b
2eab880d821f753983ad5e5e2ec4cb6aa4025d4f439128dea4e9f6ffaae6f2dc
406c505cb6ba0b4da2d76d4a73782a1309906fa84828fda59c82205c3f631a48
d5c26fede4fd8f7ab92ee8ce0d15ebfa1eb5ac125c56e0b295990ca8cf901264
bf057fe8bcc9d25c24b876efce0dccf29a5fdbfac6eead9f84665d40d4d7a2a9
a498f89441bc002e0877e776c1d7fce90e65015932331b157c4e9af2e271a548
fb12ee1af6b6c685ad4722043384527ae0475abbe7585938d600b55865bf1c8a
7e5e6774dc5b5b89cc72e18691ecc9c1c2f75443898187c634fa72c4f91b5a82
f410409bf2ded2955e50d8cdc0ea42c31ab1761410d23aff208b8b71a881ffb7
67af1059e97d772e46bc776af045e2a47475ee7fa98e31277e33b2dcd9540042
0c45c9be8ff8898503f4116fbe87e90cd79209ec0fb046d9ea891efeeb5d4cde
cebee785c1f28cd638ec750c7888a5356de3a0b89937c3c0f8f3976c8af15d1e
68c291255f77c9bebf9503fd32e3b8dd1f6899d9b8340dbc4d12b77f2398217f
e49591e9086d9d1c380dca9c84469f85edce7797b168a6bbd3b30e9602718ccf
89e3d9bdab44323f4e95c7ed14859e36e87e39332b2c28c2038465eb1abbc602
f0049c88f414b3fff65f2ebe88ea6d4fc2c89c3c8186193526a12b02eda15d46
2b91c6123969a4a74d9e43f21c850f33c83c3f6e5e9a0efa24413b9d3b1c8c2f
86440458746e0332e4461c521f43feec4ccedacdc5567f9aae420732268c9595
e5d0a4526538036ed7832e56174918210fa0d9d9bf9d9bdf8614aa3eba4f731b
Domains
myhop.hopto.org
whois.dzbc.org
URLs
http://lazyshare.net/PluginStats/Functions/newLog.php
http://lazyshare.net/PluginStats/Functions/checkInstall.php
http://lazyshare.net/PluginStats/Functions/getPluginName.php
Last Seen at

Recent blog posts

post image
Malware Trends Report: Q2, 2024 
watchers 1341
comments 0
post image
A Guide to Common Encryption Algorithms in Mo...
watchers 360
comments 0
post image
Search for Network Threats by Suricata in TI...
watchers 684
comments 0

What is NanoCore malware?

NanoCore is a Remote Access Trojan or RAT. This malware is highly customizable with plugins that allow attackers to tailor its functionality to their needs. Nanocore is created with the .NET framework and it’s available for purchase for just $25 from its “official” website.

This malware was recorded in the wild for the first time in 2013. Since then it has become extremely popular. It is now used in attacks all around the world. As a modular malware, the functionality of the NanoCore backdoor can be greatly expanded with plugins. This makes an already dangerous RAT potentially even more destructive for the company's cybersecurity.

Distributed on its own website with 24/7 technical support for just $25 with all official plugins included, the malware can also be downloaded from hacking forums where its "cracked" version has been leaked multiple times, making it an extremely accessible trojan to set up and use. Unfortunately, the accessibility, ease of use, and a bunch of information on NanoCore are still contributing to its growing popularity. It’s not completely certain whether the malware was being developed as a commercial program for institutions, or the creator had a goal to create malicious software from the beginning, Regardless, NanoCore author, Taylor Huddleston was tracked down and arrested by the FBI.

General Information about NanoCore RAT

According to the analysis, NanoCore’s first beta appeared in 2013. The latest version of the malware is being openly sold on its own website NANOCORE_dot_io. Unfortunately, this helped ensure the high popularity of the malware. Today NanoCore RAT targets victims worldwide. However, the majority of attacks are taking place in the US.

One of the key characteristics of this RAT is that technically savvy attackers are able to greatly expand the functionality of the malware, fine-tuning it to suit their needs, for instance, by adding screen locker functionality to the virus. Some essential plugins are already provided with the purchase bundle on the “official” website. Other even more sophisticated ones are being developed by the community of cybercriminals, that has formed around NanoCore.

For crooks that don’t want to engage in fiddling with plugins, NanoCore provides a straightforward user interface It allows even novice criminals to launch potentially destructive malicious campaigns. Thus further contributing to the popularity of the malware.

Interactive analysis of NanoCore

A video of the execution process provided by ANY.RUN malware hunting service allows us to perform the analysis of the lifecycle of the trojan or other malware such as WSHRAT or Vidar. We can watch NanoCore behavior as well as all processes as they unfold in a secure online environment.

nanocore execution process graph

Figure 1: A visual graph of NanoCore execution processes generated by ANY.RUN

How does NanoCore spread?

NanoCore RAT is distributed using multiple methods. However, the most commonly used is spam email campaigns. They trick users into downloading malicious documents, often presented as price lists or purchase orders.

The emails sometimes contain malicious attachments with .img or .iso extension. The large size of these files makes it difficult to scan them. Some versions of malware are also spread by a ZIP file which evades secure email gateways. Several file structure works here: one file script will download the payload while the rest are decoys that ensure the malicious content goes unnoticed by the system's security.

PowerPoint files acquire the same scenario as the infection chain takes place over multiple stages before the final payload is executed.

NanoCore RAT execution process

NanoCore is delivered to the victim’s PC using the AutoIt program. Not unlike Agent Tesla malware, which is somewhat typical for this type of RATs. Typically, NanoCore is spread using Microsoft Word documents. Infected files contain an embedded executable file or an exploit.

According to the RAT analysis, once the script file is opened an embedded macros download an executable script file and rename it. The downloaded executable file runs itself and creates a child process. The malware is able to use Regsvcs and Regasm to proxy the code execution through a trusted Windows utility.

nanocore execution process tree

Figure 2: A process tree of NanoCore execution processes generated by ANY.RUN

How to detect NanoCore malware using ANY.RUN?

You can identify whether you are dealing with a sample of NanoCore RAT or not by a quick analysis of the files and scripts created by the malware. Most often NanoCore injects into three processes RegSvcs.exe, RegAsm.exe, and MSBuild.exe.

Open "Advanced details of process" for these processes and look at the "Modified files" tab in the "Events" section. If a file named "run.dat" was created by one of these processes and placed in the %Root%:\Users\username\AppData\Roaming[GUID] folder, you can be sure that the malware you are observing is, in fact, NanoCore trojan.

file created by nanocore Figure 3: File created by Nanocore

Conclusion

Thanks to accessibility, ease of use, customization, and plenty of information, the popularity of NanoCore escalated making it one of the most widespread RATs in the world. Even though NanoCores’ creator has been arrested by officials, due to the appearance of several cracked versions, NanoCore is still openly available on hacker forums.

Often, it can be acquired for free, allowing anybody to set up attacks. The popularity of the malware is further aided by the fact that one does not need much programming knowledge to use this Trojan, as it comes equipped with a user-friendly interface. At the same time, very sophisticated and destructive attacks can be carried out with NanoCore RAT by skillful hackers, since its malicious capabilities can be extended with custom plugins. Thankfully, modern analysis tools such as ANY.RUN allow researchers to examine malware in detail, learn about its behavior patterns and set up an appropriate cybersecurity response.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy