The NanoCore Remote Access Trojan (RAT), a notorious malware known for its espionage and data theft capabilities, has been analyzed in detail, revealing its sophisticated techniques to exploit Windows systems.
This analysis highlights the malware’s use of obfuscation, persistence mechanisms, and data exfiltration capabilities.
Obfuscation and Deobfuscation Techniques
The analyzed NanoCore sample, identified by the MD5 hash 18B476D37244CB0B435D7B06912E9193, was found to be a .NET executable employing Eazfuscator to hinder reverse engineering.
Using de4dot, researchers successfully deobfuscated the code, revealing its structure and functionality.
The malware’s modular design allows attackers to dynamically load plugins such as SurveillanceEx, enhancing its spying capabilities.
Persistence via Windows Task Scheduler
NanoCore leverages the Windows Task Scheduler to maintain persistence.
The malware attempts to create scheduled tasks using schtasks.exe, although no tasks were observed during dynamic analysis.
It also achieves persistence by copying itself to hidden directories and creating a registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
Additionally, it stores components in directories like C:\Program Files (x86)\SAAS Monitor and C:\Users\User\AppData\Roaming, where it drops its executable (saasmon.exe).
NanoCore is equipped with robust data exfiltration capabilities.
It captures keystrokes, clipboard data, and screenshots, storing them locally before transmitting them to a Command-and-Control (C2) server.
During analysis, keylogs were found stored in C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED\logs\users\kbxxxxx.dat.
Network traffic analysis revealed connections to the domain simpletest.ddns.net and Google DNS (8.8.8.8), with port 9632 used for communication.
These connections enable attackers to issue remote commands and exfiltrate sensitive information.
NanoCore’s modular architecture allows attackers to expand its capabilities through plugins.
For instance, the SurveillanceEx plugin enhances spying features such as capturing screenshots and monitoring user activity.
According to the researchers, this flexibility makes NanoCore a persistent threat in the cybersecurity landscape.
Indicators of Compromise (IOCs)
Key indicators of compromise include:
- File Hash: 18B476D37244CB0B435D7B06912E9193
- Registry Key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\saasmon.exe - File Locations:
C:\Program Files (x86)\SAAS Monitor\saasmon.exeC:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED- Network Indicators:
- C2 Domain: simpletest.ddns.net
- IP: 8.8.8.8
- Port: 9632
NanoCore RAT exemplifies the evolving threat posed by modular malware.
Its ability to exploit Windows Task Scheduler for persistence, coupled with advanced data exfiltration techniques, makes it a significant risk for organizations.
Vigilance through network monitoring, threat intelligence, and proactive security measures is essential to mitigate such threats effectively.
, a notorious malware known for its espionage and data theft capabilities.){kind=link}