NanoCore is a modular RAT developed in .NET used to spy on computer systems and steal information. It has been used by threat actors since 2013.NanoCore affects the following operating systems: ['Windows']NanoCore has the capability to download and activate additional modules for execution.NanoCore communicates to its C2 over ports 6666 and 4782.NanoCore has the capability to edit the Registry and can creates a RunOnce key to execute its VBS scripts each time the user starts logging in. Furthermore NanoCore gathers the IP address from the target machine and modify the victim's firewall.NanoCore uses DES to encrypt the C2 traffic.NanoCore
Table of Contents
NanoCore Malware Capabilities
NanoCore may use a variety of methods to evade detection and persist on a system, including using a non-standard port for C2 communications, interacting with the Windows Registry, and encrypting or obfuscating files. NanoCore may also capture video and images from devices or applications on the system.
- NanoCore may transfer tools or other files from an external system into a compromised environment. This may be done through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment. NanoCore may also conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured. Finally, NanoCore may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
- NanoCore may employ various methods to gain access to systems and networks, including network discovery and disabling or modifying system firewalls. They may also use symmetric encryption to conceal command and control traffic.
- NanoCore may be used to achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. It may also attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
- NanoCore may be used to log user keystrokes in order to intercept credentials, as well as to record audio conversations in order to gather information. Additionally, it may abuse the Windows command shell for execution.
Ways to Mitigate NanoCore Malware Attacks
- NanoCore malware can be mitigated by monitoring for file creation and transfer, analyzing network data, and enabling Registry auditing. Changes to Registry entries, services, and files within the startup folder may be indicative of NanoCore malware. If a change to a service-related entry occurs, it may be followed by a service start or restart to execute the malicious file.
- The NanoCore malware mitigation system can help detect and prevent lateral movement by adversaries. It does this by monitoring processes and command-line arguments, and by looking for Registry edits that could indicate firewalls being disabled or modified. Additionally, symmetric encryption can be used to decode network traffic and look for malware communications signatures.
- The above text describes various methods that may be used to detect and mitigate the effects of NanoCore malware. These include monitoring for changes to run keys and startup folders, as well as detecting suspicious program execution and file obfuscation.
- NanoCore is a malware that allows attackers to take control of a system and steal sensitive information. It is difficult to detect due to the various ways it can be installed and the various API calls it uses. However, some indicators of NanoCore include changes to the Registry and file system, new drivers being installed, and unusual API calls being made. If scripts are not normally used on a system but are enabled, this may be a sign that NanoCore is present. Scripts should be captured and analyzed to determine their purpose and intent.
About Gorgon group Threat Group
- Apt33, Group5, and Silverterrier are all threat groups that have been active since at least 2013. Gorgon group is a threat group that has been active since 2014.