Bad actors have changed the distribution mechanism for the NanoCore RAT over time. Previously, we saw the NanoCore payload being distributed via a DOC file with auto executable macros or via a malicious PDF file. Then, we saw Nanocore being distributed via web downloads embedded in spam or phishing emails. Recently, we wrote about Microsoft PowerPoint files being used to spread NanoCore RAT. Now, we are observing the NanoCore RAT being distributed via web downloads. (There have also been a few mentions of the NanoCore RAT being distributed viat AutoIT and PowerShell.)
Let's take a look at what we've been seeing in the Zscaler Cloud when it comes to the NanoCore RAT.
Typically, NanoCore payloads are hosted on a compromised site.
Technical Analysis
Sample: 4AB9AF198F199A7CAFD1DF996562874C
The main file is built in Microsoft Intermediate Language (MSIL). The source is quite obfuscated and encrypted with some custom routines. It includes one encrypted file and one PNG file in its resources.
Stage 1
The encrypted resource file is getting decrypted by the Data Encryption Standard (DES) algorithm in the Cipher Block Chaining (CBC) mode of operation (DES-CBC) with a predefined key and initialization vector (IV).
The decrypted data is a Portable Executable (PE) file, which contains the code to extract and decode the hidden payload inside the PNG file.
This PE file is a .NET dynamic link library (DLL) file and has the name LibraryMethods.dll. This is loaded at runtime with the argument as PNG resource data.
This malware uses steganography techniques to hide the next stage payload in a plain image. The steganography decryption routine is present in LibraryMethods.dll.
The data is extracted and decrypted from the PNG resource file, then it executes the next stage payload in the memory.
Stage 2
The second stage payload is again a .NET PE file. This file contains two encrypted resources.
It decrypts the resources with the same DES-CBC algorithm but with a different key and IV. The resource known as kFnU contains the command strings to weaken the infected system
The resource known as AZvDEOH is also a PE file, which is directly loaded in the memory after decryption. This PE file is the NanoCore binary.
NanoCore binary
NanoCore RAT is written in the .NET framework and first appeared in 2013. The NanoCore RAT is powerful enough to perform a variety of malicious operations including:
- File manipulation
- Registry editing
- Process control
- File transfer
- Remote command execution
- Keylogger
- Password recovery
- Download and execute other payloads
The impact of this RAT is that it compromises a system with backdoor capabilities that can execute malicious commands, gather user credentials, log keystrokes and steal user information.
The NanoCore binary has encrypted configuration data in the RCDATA resource.
This encrypted data is decrypted with the DES algorithm as shown in Figure 10.
The decrypted NanoCore configuration is shown in Figure 11.
The NanoCore RAT uses a custom TCP protocol to connect to a server specified by the attacker on the specified port. This sample uses the DES algorithm to encrypt the traffic, which is shown below. This is nothing but a combination of machine name, user name, system guid, app version, and executable path.
This sample has a primary host as aboki0419.duckdns[.]org and backup host as abokijob.hopto[.]org. It resolves one of the domains and sends customized TCP packets to its IP address.
Nanocore RAT capabilities
This malware can steal browser and FTP credentials and send them to its command and control (CnC) server via a custom TCP protocol. This RAT can also steal user’s email credentials. All of this leads to a complete system compromise.
Details from the Zscaler Cloud Sandbox
Conclusion
As we saw in the technical analysis section, this malware has lots of obfuscation methods involved to hide its actual payload. The ThreatLabZ team continuously monitors ever-evolving advanced malware and places a detection for different layers of malware execution. We will continue to monitor the NanoCore RAT and other threats to keep our customers safe.
IOCs
- aboki0419.duckdns[.]org
- abokijob.hopto[.]org
- oluwaboi.duckdns[.]org
- zafia[.]ro
- bigworldhomes[.]com
- audiosv[.]com
- tumercarpet[.]com
- Lapurisima[.]cl