_Overview

📡This is not a déjà vu, this is an update and improvement of the NanoCore which I looked at years ago because my analysis seems to me very incomplete, and in addition we see how it has evolved and new versions of this malware have been released📡

NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc. It also serves as remote control for the attacker, who will have the ability to manipulate the system, remotely execute scripts, etc.

It first appeared in 2012, and its author was sentenced to over two years in prison in 2017. The code for NanoCore has been leaked on several occasions throughout its versions, allowing different criminal groups like APT to use it at some point, potentially refining or adding functionalities. And undoubtedly, it has also been used by countless Script Kiddies.

NanoCore, therefore, has been used in a multitude of ways and has been notably seen in Spear-Phishing, where it is introduced in a document or in a ZIP/RAR file that triggers the execution of a loader or another malware that runs it. However, it has also been observed in the download of links for some software, trying to appear as a legitimate program, which ends up in the same situation as a download of a script or a ZIP containing a NancRAT loader.

As mentioned earlier, NanoCore has been used by various groups, which, given the functionality of the malware, would act in the intermediate phase of the attack where they already have access to the infrastructure and want relevant information and the ability to freely access it. Although a large number of campaigns using NanoCore in conjunction with other malware that could not be attributed have been seen, there is evidence of groups that have historically been seen using NanoCore:

• APT33 | RefinedKitten (🇮🇳)
• Gorgon Group (🇵🇰)
• Vendetta (🇹🇷)
• TA2719 (🏴)
• TA2722 (🏴)
• Aggah (🏴)

_Overview

Pony (also known as Fareit or Siplog) is a malware categorized as a loader and stealer, although it is also used as a botnet, being a tool that has been used for more than 10 years and is still in use. This infamous malware continues to receive updates and can be purchased, and has been involved in information theft or used to launch other malwares during attacks on victim infrastructures.

Given that this malware has such a long history (yes, 10 years in cyber is a lot), the methods of use and execution of Pony have varied, as it has depended on who has used it, whether they are more or less organized groups. It has typically been seen in phishing campaigns where a typical message in the language of the targeted country was introduced, simulating some kind of urgency, or alternatively, attacked web pages have been seen where download links have been replaced by a Fareit loader or directly the execution of it. Pony has also been notorious in exploit kits or in fake programs where trying to download the free version of something would gift you with a malware disguised as a small horse.

Pony has been seen used by various groups, usually related to crime, whose general objective is usually to obtain money, and whose functionality of stealing data, persisting, and also the possibility of being used as a bot, is tremendously useful. Obviously, most cases of the use of this type of tool cannot be associated with groups, and years ago the code of Pony versions was leaked, which increased its use both in organized and less organized groups. However, when incidents are observed in which an actor interacts with tools typical of a group or with a characteristic kill chain with methodologies that have been used before, it helps us to place these tools also in their use in more organized groups. Therefore, the groups of this type that have been seen using Fareit are as follows:

• Cobalt Group ( 🇷🇺 )
• Gold Evergreen | TA505 | GracefulSpider ( 🇷🇺 )
• Gold Galleon ( Suspected 🇳🇬 )
• Gold Essex | TA544 | NarwhalSpider ( 🏴 )

_Overview

SystemBC, also known as Coroxy or DroxiDat, is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT, as its uses can be diverse depending on the attacker, making it a versatile tool for Threat Actors. Active since 2018, it has gained significant popularity, finding a warm reception in underground markets where it can be purchased, and its interest has not waned. Incidents involving its usage are recorded annually.

Coroxy achieves execution on target systems through various methods, depending on the group using it. Recorded attacks have involved reconnaissance phases, lateral movement, and the deployment of SystemBC, often complemented with CobaltStrike. In other cases, it has been employed in campaigns through Spear-Phishing, where it is delivered and installed on the victim’s system via loaders or other malware. While the malware’s methodology has evolved, its core functionality remains consistent. In most versions of SystemBC, it seeks to gather system and user information, establish persistence, and then create a Socks5 connection with the Command and Control (C&C) server, transmitting basic information, and waiting for commands or the launch of other malware by the attacker. This provides a backdoor for the attacker to operate from their infrastructure.

As mentioned earlier, numerous groups have been associated with the use of SystemBC over the years. These groups, with many linked to ransomware activities, include:

• ViceSociety
• Rhysida
• GoldDupont
• FIN12
• 8BASE
• PLAY
• Hive
• BlackBasta
• TropicalScoprious (CUBA)
• RiddleSpider (Avaddon)
• WizardSpider (Conti, Ryuk)
• Egregor
• DarkSide
• Maze Team (Maze & IcedID)

_Overview

LaplasClipper (Laplas Clipper also known as Laplace Clipper) is a well-known malware that operates as a crypto clipboard hijacker. It has been in use since 2022. This malware can be purchased from its portal for as low as $49, with payment structured as a monthly subscription. LaplasClipper has been employed by various criminal threat actors to steal cryptocurrencies.

This malware gains access to devices through various methods. It has been observed being distributed through YouTube video links or compromised websites, as well as links to files containing LaplasClipper loaders. It has also been delivered via spear-phishing campaigns. In recent versions of the malware, it establishes persistence in registries and injects itself into files it creates to gain an advantageous position. From there, it monitors the clipboard, waiting for cryptocurrency wallet-related information to be added. It modifies this information to hijack the cryptocurrencies to the attacker’s server.

As I said, Laplas has been involved in several executions related to other malware or loaders, some of them, which are related to active groups, are the following:

• VidarStealer
• SmokeLoader
• AresLoader
• RedLine Stealer
• AgentTesla

_Overview

AveMariaRAT, also known as WarZoneRAT, is one of the most famous and widely used RATs in recent years. It can be purchased with a license and monthly subscriptions ranging from $16 to $38 on its website. This tool is used and modified by various groups, ranging from disorganized or resource-limited individuals known as script kiddies to highly relevant criminal groups or APTs.

Some of the notable groups that have been observed using AveMariaRAT include:

• Tomiris ( 🏴 )
• Carbanak | Anunak ( 🇺🇦 )
• Aggah ( 🏴 )
• BlindEagle | APT-C-36 ( 🇨🇴 )
• Confucious ( 🇮🇳 )
• SideWinder ( 🇮🇳 )
• HazyTiger | Bitter ( 🇮🇳 )
• FIN7 ( 🏴 )
• SandWorm Team | Voodo Bear ( 🇷🇺 )
• Kasablanka ( 🏴 )

This malware, used by the mentioned groups, can infiltrate the infrastructure in various ways, from exploiting Spear-Phishing to compromising websites where it is downloaded. Once on our devices, the RAT has capabilities to escalate privileges, bypass UAC, evade defenses like security software, gather sensitive information from the device and user, and inject itself into processes to maintain active communication with the C&C server operated by the attacker

_Inside Look: Evolution of Spear-Phishing Techniques of Notorious Threat Groups

In recent years, different campaigns and threats have been developing, whose entry vector has been the same: email. This initial access always seems the most absurd and unworthy of attention because companies have properly trained their employees. However, the trend tells us the opposite. Many criminal groups and APTs continue to use this technique, varying or evolving it, leaving the most vulnerable element, human error, in doubt.

Phishing (T1566), a social engineering technique used as initial access (TA0001) since the mid-90s, is nothing more than a tool to deceive the victim into providing confidential information. Attackers disguise fraudulent emails with messages that appear familiar to the victim and are difficult (in most cases) to distinguish at a glance from the legitimate ones they are trying to emulate.

Along with this technique, we have spear-phishing, which has different sub-techniques (T1566.001, T1566.002, T1566.003). It uses fraudulent emails to entice the victim to click on a link, open an attachment, etc.

_Overview

AZORult is one of the best known malware within the Stealer family. It is usually sold on Russian forums for prices ranging up to $100. This malware has been used by a large number of important threat actors, including some dedicated to crime such as FIN11 or TA505 (GracefulSpider) or others that are part of a state-sponsored model such as GorgonGroup from Pakistan.

This malware usually starts from an initial point as documents via Spear-Phishing or compromised web pages and is characterized by performing different file drops that later will execute and check the connection to the C&C, after this, it will steal information and create persistence or a backdoor to, before performing the exfiltration of the data, have opportunities to persist in the system and thus, the actor continue obtaining information from the system to which the affected computer belongs and sometimes pivot.

_Overview

RecordBreaker or RacoonStealerV2 is the new version of the stealer Racoon that we can buy as malware-as-a-service at the black markets under $300. Widely used in mass campaigns or used by criminal groups where they try to infect repositories or attach this malware usually compressed in ZIP/RAR format. Its main objective is to reach the largest number of victims and contains different phases including process injection, binary downloading and information theft.

_Overview

SmokeLoader is a malware that generally acts as a backdoor and is commonly used as a loader for other malware. Attributed to the criminal group Smoky Spider, a group that uses SmokeLoader and Sasfis, loader and downloader respectively. SmokeLoader has been used as a bot in infrastructures and contains strong evasion capabilities as well as Anti-Analysis, Anti-VM and Anti-DBG techniques.

_Overview

Tofsee is a malware used for mass campaigns, which does not have an associated group or actor. It has gone through different phases, but has generally been used to create Botnets or SpamBots, as well as mining actions. The starting point of Tofsee is usually a Loader or an email using the SpearPhishing technique that will launch the malware. It has been in all its stages a really worked malware, with code obfuscations, packaged samples, anti-analysis techniques, which led to a backdoor to perform minings taking advantage of the botnet features or to perform Spam.