NanoCore RAT — Malware of the Month, May 2020

In mafia lore, a rat is considered the lowest of the low. A rat is a squealer who puts the very survival of the organization in jeopardy.

When it comes to protecting your business from cyberthreats, you need to take a leaf out of the mafia’s book and ‘handle’ the RAT.

The May ‘malware of the month’ is NanoCore malware — one of the most sophisticated Remote Access Trojans (RAT) around. It creates a backdoor entrance for hackers to gain administrative control over victims’ devices.

What is NanoCore?

NanoCore is a high-risk RAT that provides attackers with details on the device name and OS. This information is used to carry out various malicious activities, such as manipulating confidential files, hijacking webcam and microphone, stealing login credentials and more.

NanoCore comes with base plugins that expand the performance capability of the malware, inciting specific malicious attacks. Since its discovery in 2013, NanoCore has gone through multiple versions over the years.

How Does NanoCore RAT Work?

Most malware are designed for one specific type of attack. However, NanoCore allows hackers to do just about anything they want to once they gain complete, anonymous control over infected devices.

In 2015, targeted emails were sent to energy companies in Asia and the Middle East by spoofing email addresses of a legitimate South Korean oil company. Attached to the email was a malicious RTF file that dropped the NanoCore trojan.

This is the sequence of events that shows how NanoCore was executed, ultimately putting the victims’ Office 365 data at risk.

Technique Action
Phishing A malicious RTF file email attachment is sent to the victim’s Outlook.
Payload Deployment The user clicks the attachment and the trojan is uploaded on the device without any detection.
Business Email Compromise Keyloggers are used to steal Office 365 credentials to gain access to financial information and other business-critical data.
Ransomware Information is moved over to servers owned by hackers. The victims are then asked to a pay fee to get the stolen Office 365 data back.

Keep your Office 365 credentials and data protected from cybercriminals. Learn More.

How is NanoCore Delivered?

Generally, malicious spam email attachments like MS Office documents are used to deliver NanoCore malware. But with advanced spam filters, cybercriminals are forced to get creative, and you can bet they are leaving no stone unturned.

Here are a few ways modern NanoCore is being deployed:

Microsoft Office PowerPoint

PowerPoint files are being used by threat actors to spread NanoCore RAT. The delivery method is very distinct since the infection chain takes place over multiple stages before the final payload is executed. Even email gateway scanners are unable to cut through the multi-layered approach.

A sample nanocore email with a powerpoint attachment delivery.

Image courtesy of Zscaler.

ZIP File 

Multiple ZIP file structures are used to bypass secure email gateways. Basically, one file will payload the trojan while the rest are decoys that ensure the malicious content goes unnoticed.

ISO Image

The large size of ISO files makes it difficult to scan them. Moreover, opening an ISO is as simple as double-clicking the file. This particular ‘convenience’ increases the chance of victims clicking on the malicious attachment.

Sample nanocore email with an ISO attachment delivery.

Image courtesy of SonicWall

NanoCore: The Origin

Taylor Huddleston, aka Aeonhacks, admitted in 2016 that he developed, marketed and distributed NanoCore on the Dark Web from 2012 to 2016. He was subsequently arrested and sentenced to three years in federal prison for aiding and abetting computer intrusions. Unfortunately, this did not slow the spread of the Trojan. Hackers kept Taylor’s creation alive and kicking by releasing different versions throughout the years.

Taylor Huddleston, the creator of NanoCore.

Image courtesy of KrebsOnSecurity

NanoCore: The Nastiest RAT

A new version of the infamous RAT, dubbed NanoCore v1.2.2, has resurfaced on the Dark Web. A special RAT kit is being sold for as low as $25, with a free ‘cracked’ version also available. The generous price tag allows even a rookie cybercriminal to launch an effective RAT attack.

The RAT kit includes:

  • Remote surveillance with desktop, webcam and audio feeds
  • Reverse proxy connection capability
  • Plugins
  • 24/7 support (because ironically, cybercriminals also care about customer satisfaction)

However, the really nasty feature of this NanoCore version is that it’s difficult to detect. This is because most of the actions it performs are similar to other legitimate operations, making it seem benign to most cybersecurity teams. Moreover, it carries out precise operations that don’t typically resemble malware techniques, in essence pulling the wool over the eyes of IT administrators.

Consequently, businesses end up bleeding money due to data loss, privacy issues, hardware damage and long hours of unplanned downtime. Certainly not a very pleasant situation to be in.

Protect Your Business Against NanoCore

Educating employees on security best practices can help them stay alert against phishing scams. With that being said, it would be prudent not to rely solely on the judgment of your employees. A good backup and recovery system needs to be put in place to protect your business when things go south.

Spanning enables you to adopt a robust approach when dealing with RATs. Spanning’s reporting and sophisticated intrusion detection system ensures IT administrators are given a clear insight into the backup health of the business. It alerts admins by flagging them via email notifications in case any discrepancies in the files are identified. This allows them to take necessary action and neutralize the threat before it causes major damage.

Protect Your Data With Spanning