Bad actors have changed the distribution mechanism for the NanoCore RAT over time. Previously, we saw the NanoCore payload being distributed via a DOC file with auto executable macros or via a malicious PDF file. Then, we saw Nanocore being distributed via web downloads embedded in spam or phishing emails. Recently, we wrote about Microsoft PowerPoint files being used to spread NanoCore RAT. Now, we are observing the NanoCore RAT being distributed via web downloads. (There have also been a few mentions of the NanoCore RAT being distributed viat AutoIT and PowerShell.)
Let's take a look at what we've been seeing in the Zscaler Cloud when it comes to the NanoCore RAT.
Figure 1 shows more than 100 payloads of the NanoCore RAT blocked by Zscaler in the month of March alone.
Figure 1: NanoCore hits in the Zscaler Cloud.
Typically, NanoCore payloads are hosted on a compromised site, such as the one shown in Figure 2.
Figure 2: NanoCore shown in an open directory.
The main file is built in Microsoft Intermediate Language (MSIL). The source is quite obfuscated and encrypted with some custom routines. It includes one encrypted file and one PNG file in its resources.
The encrypted resource file is getting decrypted by the Data Encryption Standard (DES) algorithm in the Cipher Block Chaining (CBC) mode of operation (DES-CBC) with a predefined key and initialization vector (IV).
Figure 3: Resource decryption with DES.
The decrypted data is a Portable Executable (PE) file, which contains the code to extract and decode the hidden payload inside the PNG file.
This PE file is a .NET dynamic link library (DLL) file and has the name LibraryMethods.dll. This is loaded at runtime with the argument as PNG resource data.
Figure 4: The resource PNG file.
This malware uses steganography techniques to hide the next stage payload in a plain image. The steganography decryption routine is present in LibraryMethods.dll.
Figure 5: The steganography decryption routine for the PNG resource.
The data is extracted and decrypted from the PNG resource file, then it executes the next stage payload in the memory.
The second stage payload is again a .NET PE file. This file contains two encrypted resources.
Figure 6: The encrypted resources.
It decrypts the resources with the same DES-CBC algorithm but with a different key and IV. The resource known as kFnU contains the command strings to weaken the infected system
Figure 7: The decrypted resource known as kFnU.
The resource known as AZvDEOH is also a PE file, which is directly loaded in the memory after decryption. This PE file is the NanoCore binary.
NanoCore RAT is written in the .NET framework and first appeared in 2013. The NanoCore RAT is powerful enough to perform a variety of malicious operations including:
The impact of this RAT is that it compromises a system with backdoor capabilities that can execute malicious commands, gather user credentials, log keystrokes and steal user information.
Figure 8: The NanoCore binary.
The NanoCore binary has encrypted configuration data in the RCDATA resource.
Figure 9: The encrypted NanoCore configuration.
This encrypted data is decrypted with the DES algorithm as shown in Figure 10.
Figure 10: The decryption routine for the encrypted configuration.
The decrypted NanoCore configuration is shown in Figure 11.
Figure 11: NanCore configurations.
The NanoCore RAT uses a custom TCP protocol to connect to a server specified by the attacker on the specified port. This sample uses the DES algorithm to encrypt the traffic, which is shown below. This is nothing but a combination of machine name, user name, system guid, app version, and executable path.
This sample has a primary host as aboki0419.duckdns[.]org and backup host as abokijob.hopto[.]org. It resolves one of the domains and sends customized TCP packets to its IP address.
Figure 12: Network communication.
Figure 13: NanoCore CnC commands.
Nanocore RAT capabilities
This malware can steal browser and FTP credentials and send them to its command and control (CnC) server via a custom TCP protocol. This RAT can also steal user’s email credentials. All of this leads to a complete system compromise.
Details from the Zscaler Cloud Sandbox
Figure 14: Zscaler Cloud Sandbox report.
As we saw in the technical analysis section, this malware has lots of obfuscation methods involved to hide its actual payload. The ThreatLabZ team continuously monitors ever-evolving advanced malware and places a detection for different layers of malware execution. We will continue to monitor the NanoCore RAT and other threats to keep our customers safe.