Nanocore RAT Malware Analysis

About this Report

The goal of this report is to provide actionable intelligence against threat actors along with malware or other tools they use for reconnaissance, delivery, exploitation, and so forth in order to empower security operations (SecOps) teams to quickly detect and respond to this specific threat. This information is also intended so that SecOps teams can utilize the intelligence in this report in order to set up preventative measures for the malware analyzed. In the case of a victim of this malware, this analysis can be used to understand the impact of the malware (lateral movement, data exfiltration, credential gathering, etc.). We also share this intelligence back to the community to assist other researchers in their analysis of the same malware.

MITRE ATT&CK® Table

13 Indicators are mapped in the above mentioned MITRE ATT&CK® data.

Analysis Overview

Introduction

The malware activity was observed by Rewterz’s SOC Team during the analysis of an alert particularly of a security control which shows an alert ‘Trojan.Heuristic detected’. After the file detection, the malware file was forwarded to the Rewterz Threat Hunting team for a detailed analysis.

This threat intelligence report is based on analysis from the Rewterz Threat Hunting team in which we examine details of specific samples of malware belonging to a family publicly known as “Nanocore.Rat”.

File Identity

Summary of Analysis

As per our analysis, it has been observed that this program is neither CLI nor GUI based, it only runs on backend and the prompt disappears just after a fraction of second after it shows up so it can barely be seen when it executes. File uses MSVBVM60.dll and its functions explained below.

The program exists in 32-bit version and it also drops another file with the name of verdens9.exe, which helps in enabling remote desktop connection publicly to other machine. This trojan contains hardcoded URL and IP for response to its C&C server. It drops communications component that is configured to use “RegAsm.exe” windows process to initiate network communication and Registry changes for the same purpose.

Characteristics

The characteristics found through the analysis is explained below:

• This file drops another file with the name of verdens9.exe in the folder Protokolch6 created under the main directory of Users already present in the C drive.

• This program is also using RegAsm to add task into the task scheduler by passing the following arguments “/create /f /tn “PCI Monitor” /xml “%TEMP%\tmpBD56.tmp” and it uses registry entrance as well.

• This program is also using RegAsm to enable remote desktop connection by adding registry in the registry directory as explained in below screenshot:

Dependencies

This trojan depends on the MSVBVM60.dll library along with its dropper verdens9.exe with the usage of RegAsm.exe windows based program which add values in registry for persistency of its dropper and to perform malicious activity and the process graph explained below will also enhance the vision.

Behavioral Findings

The behavior of the analyzed program is explained below:

After the very first execution of opixxxxss.exe, nothing displays on the screen while it only executes in background dropping the malware with the name of verdens9.exe, which is present in the created folder Protokolch6 under the folder of users present in C drive.

After dropping the malicious file, it uses the RegAsm.exe tool, which is used to register the values in registry, to perform malicious tasks. All the registry changes are defined below:

1. This malware uses the RegAsm process to add task into task scheduler by passing the parameter “/create /f /tn “PCI Monitor” /xml “%TEMP%\tmpBD56.tmp”

2. After adding task to task scheduler, the malware uses RegAsm to create the persistence of verdens9.exe file, to make it run only once by passing the following argument in registry “HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE”; Key: “MISCON”; Value: “%USERPROFILE%\Protokolch6\Verdens9.exe”.

3. Malware then attempts to access software policy, system certificate policy, system language relevant strings, windows services privileges for TCP connections. The registry paths are defined below in which parameters are passed:

Below screenshot shows the entries in registry by RegAsm.exe

4. After the changes in registry, it tries to initiate network connections to following URLs and IP addresses:

However the URL and IP defined above were not found malicious on known threat intelligence sources but we consider them as malicious because following malicious program is using Partial Range Downloads API to retrieve the files from the URL “lws7q.bn.files.1drv.com” defined above which were already uploaded.

5. Another network activity is also observed which declares that the subjected malware belongs to Nanocore RAT family it is initiating request on the IP 185.140.53.196 on port 39791 as shown below:

The URL behind the TCP request were “meeti.duckdns.org” which represents that this is the Nanocore RAT malware and the IP address of URL is “192.169.69.25”

6. Finally, this malware enables remote desktop connection in the system by passing the arguments “1” for TUserEnabled key in the registry. The directory in which key passed is “HKLM\SYSTEM\CONTROLSET001\CONTROL\TERMINAL SERVER” and the key value is 1 which means it’s true.

Conclusion

Based on the analysis, this trojan has intentions to give remote access. Rewterz team continuously monitors ever-evolving advanced malware and develop patterns to detect malware execution on different players. According to the behavior, it is initiating request on an unknown public IP addresses and URLs but after analyzing the whole malware it is found that this malware belongs to RAT family Nanocore which helps in the creation of remote connection for malicious purpose.

Nanocore RAT History and Features

Nanocore is a Remote Access Trojan which first appeared in 2012 and was originally sold by the author for $25 on his website nanocore.io, with the author selling his tool under the guise of a ‘Remote Administration Tool’. The website boasted the software to have the following features:

1. Remote surveillance via Remote Desktop, Remote Webcam and Audio feeds.
2. Reverse proxy connection capability.
3. Affordability, with a price tag of $25.
4. Plugin Support.
5. 24/7 Support.

The Plugin list is extensive, a few of the plugins available are listed below:

1. Surveillance plugin: Allows for microphone and webcam access.
2. Tools plugin: Allows for better control over the compromised host.
3. Security plugin: Provides access to the compromised host’s AV tools and firewall.

The author, Taylor Huddleson, was eventually arrested in 2016 and in 2018 he was sentenced to 33 months in prison.