This blog post was authored by Veronica Valeros, on 2018-09-07
This blog post aims to give an overview of what do we know so far about the NanoCore RAT, and provide an exhaustive list of references associated with this piece of software.
NanoCore is a Remote Access Trojan whose development started in 2012 [1]. NanoCore, a premium RAT, was sold for 20$ with the possibility of a full refund if within the first 14 days the buyer was not satisfied with the product [2]. No questions asked. Often acclaimed as one of the most sophisticated RATs out there, NanoCore was embraced by malicious actors and is actively used in malicious campaigns to this day.
The author of NanoCore, Taylor Huddleston also known as Aeonhacks, was arrested in late 2016 [1] and sentenced in 2018 to 33 months in prison for "aiding and abetting computer intrusions by selling the malware" [3].
THE MOST SOPHISTICATED RAT OUT THERE?
NanoCore, was considered by his original author a 'Remote Administration Tool'. In his website [6], he promoted the tool as reliable, and affordable. With 24/7 support. The author explains that the tool allows for remote surveillance (including video, audio, files, and processes remote administration). It also has the ability to create reverse proxy connections and its original functionality can be enriched via the use of plugins.
NanoCore website promotes the the tool as reliable, affordable, with 24/7 support. Reference: https://web.archive.org/web/20160815000000*/nanocore.io
The list of plugins was sure extensive. Some of the plugins were showcased on the NanoCore website (nanocore.io), now only accessible via web.archive.org. As shown in the image below, some of the plugins included:
Core Plugin: enhances the basic functionality of the tool, with more settings and options.
Management Plugin: adds remote console, registry editor, task manager, and file browser.
ManagementEx Plugin: adds some extra functionality such as clipboard access, startup settings, installed programs, and window manager.
Network Plugin: this plugins is in charge of enabling reverse SOCKS support, among other things.
Security Plugin: gives access to firewall and other anti-malware tools.
Surveillance Plugin: gives core features such as web cam and microphone access.
Tools Plugin: a wide set of tools to have more control of the machine, including the execution of programs on the host.
The most sophisticated tool or not, the author surely knew a little more on marketing and how to promote its tool than other RAT developers. Researchers from The DigiTrust Group have also a good overview of the features of NanoCore [10].
NANOCORE RAT LEAKS
As often happens, other actors cracked versions of the malware and released them in the internet. Researchers at Symantec in an article from 2015 [4] explain concisely that there were many leaks of NanoCore. The first leak was an alpha version, leaked in late 2013, followed by several leaks over the years of beta versions of the tool. In 2015 however, the first full version of the trojan with premium features in the form of plugins was leaked [4]. The leaks increased the usage of the RAT by malicious actors far beyond what the original author expected.
ORIGINALITY
Researchers from ENSILO [5] in an article from 2015, explain how the code of NanoCore is not 100% original. Researchers show that the 'Password Retrieval' functionality of the RAT had actually common code with an already existing tool called “WebBrowserPassView” by NirSoft. They also mention that while NirSoft's tool was freeware, it didn't allow the commercial use of it.
ATTACKS USING NANOCORE
Remote Access Trojans are used in a wide variety of attacks. From Business Email Compromise (BEC) to highly targeted attacks and espionage. While there are many reports on phishing attacks distributing NanoCore [7] [8] [9], one of the most prominent attacks was first observed in March 2015. According to Symantec [4], malicious actors targeted energy companies in Asia and the Middle East. The companies received emails with a file attached; the file contained a Windows exploit, that after successful exploitation was downloading the NanoCore RAT into the victims' computers.
In 2017, researchers from Fortinet [11] documented a case of NanoCore being used in a campaign that targeted French nationals. This time the phishing emails contained a PDF file attached. The PDF had an embedded JavaScript used to download the final payload, in this case, NanoCore RAT.
CONCLUSION
There's a controversy on how to consider NanoCore. Is it a remote administration tool? or is it a remote access trojan? As usual, the line is hard to draw and it boils down to the intent of the authors. In the case of NanoCore, and many other RATs, once the source code is leaked, the tool and its intent is tied to the actor using it.
In any case, we will keep seeing attacks with this trojan in the future. Better be ready.
REFERENCES:
[1] FBI Arrests Hacker Who Hacked No One. (2017-03-31). URL: https://www.thedailybeast.com/fbi-arrests-hacker-who-hacked-no-one. Accessed on 2018-09-07.[2] Decoding NanoCore Rat. (2014-08-25). URL: https://techanarchy.net/2014/08/decoding-nanocore-rat/. Accessed on 2018-09-07.
[3] Arkansas Man Sentenced to Prison for Developing and Distributing Prolific Malware. (2018-02-23). URL: https://www.justice.gov/opa/pr/arkansas-man-sentenced-prison-developing-and-distributing-prolific-malware. Accessed on 2018-09-07.
[4] NanoCore: Another RAT tries to make it out of the gutter. (2015-03-23). URL: https://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter. Accessed on 2018-09-07.
[5] NanoCore RAT: It's Not 100% Original. (2015-04-13). URL: https://blog.ensilo.com/nanocore-rat-not-100-original. Accessed on 2018-09-07.
[6] NanoCore: The Next Generation in Remote Administration. URL: https://web.archive.org/web/20160716184005/https://nanocore.io/. Accessed on 2018-09-07.
[7] NanoCore RAT Behind an Increase in Tax-Themed Phishing E-mails. (2016-02-09). URL: https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/. Accessed on 2018-09-07.
[8] Malware Meets SysAdmin – Automation Tools Gone Bad. (2015-08-25). URL: https://blogs.cisco.com/security/talos/sysadmin-phish. Accessed on 2018-09-07.
[9] Malspam delivers NanoCore RAT. (2016-10-20). URL: https://isc.sans.edu/forums/diary/Malspam+delivers+NanoCore+RAT/21615/. Accessed on 2018-09-07.
[10] NanoCore Is Not Your Average RAT. (2017-01-01). URL: https://www.digitrustgroup.com/nanocore-not-your-average-rat/. Accessed on 2018-09-07.
[11] PDF Phishing Leads to Nanocore RAT, Targets French Nationals. (2017-10-12). URL: https://www.fortinet.com/blog/threat-research/pdf-phishing-leads-to-nanocore-rat-targets-french-nationals.html. Accessed on 2018-09-07.
[12] NanoCore Rat Config Decoder. (2015-04). URL: https://github.com/kevthehermit/RATDecoders/blob/master/StandAlone/NanoCore.py. Accessed on 2018-09-07.
[13] NanoCore and Unpacking the AutoIT Cryptor. (2016-01-13). URL: http://www.pwncode.club/2016/01/nanocore-and-unpacking-autoit-cryptor.html. Accessed on 2018-09-07.