Remote Administration Tools are seemed to be the lowest of the low in mafia lore. It is a squealer that puts the very survival of the organization in danger. When it comes to protecting businesses from cyber threats, he needs to take a leaf out of the mafia’s book and handle RAT. You can try the NanoCore RAT download that comes in version v22.214.171.124 by Alcatraz on GitHub.
This is one of the sophisticated Remote Access Trojan which is used to create a backdoor to get administrative control over the victim’s device.
Table of Contents
- 1 About NanoCore and its Origin
- 2 How NanoCore RAT operates
- 3 NanoCore Infection and Spreading Features
- 4 NanoCore Released v126.96.36.199
- 5 How To Stay Safe from NanoCore
- 6 Analyzing NanoCore RAT components
- 7 NanoCore RAT Download (Latest) 2021 – Top Remote Administration Tool
About NanoCore and its Origin
Taylor Huddleston who is also known as Aeonhacks in 2016 admitted that he developed, marketed, and distributed this on the dark web from 2012-2016. He got arrested and jailed for 3 years in the federal prison for aiding computer intrusions but without any luck still did not stop or slowed down its spread. Security hackers kept his creation alive and kicking by releasing various versions throughout the years. Its backend functions are very close to how njRAT works.
This is a high-risk RAT that provides the attacker with all the details on the device name and operating system. The information is used for different malicious activities like:
- Hijacking webcam and microphone.
- Manipulating private files.
- Stealing credentials and much more.
It comes with base plug-ins that expand the performance capability of malware, inciting certain attacks. Over the years it has gone through many versions.
How NanoCore RAT operates
Mostly they are designed for a certain kind of attack. However, it allows hackers to do anything they want over the infected device once they gain control over it.
Back in 2015, targeted emails were sent to energy companies in the Middle East and Asia by spoofing the email addresses of a South Korean oil company. With this was a malicious RFT file that dropped this Trojan.
Following is a sequence of events that show how this was executed, putting the victim’s office 365 and other data at risk. See table below:
|Popular NanoCore Infection Techniques||How the Infection Happens|
|Email and Document Phishing||An email with a malicious RFT file is sent to the victim’s outlook.|
|Payload malicious links||The user clicks on it and Trojan is uploaded on his device without any detection.|
|Compromising email accounts||The keyloggers steal credentials of Office 365 to gain access to financial information and other critical data.|
|Ransomware injection||The information is then moved to servers that are owned by the security thefts. Victims are then asked to pay in order to get the stolen data back from Office 365.|
Important tip: Keep office 365 administration credentials and data protected from cyber-criminals.
NanoCore Infection and Spreading Features
It is delivered by malicious email attachments such as MS Office documents but with advanced spam filters, criminals are forced to get creative, and one ca bet that they are leaving no stone unturned.
Microsoft Office Products
These files are used to threaten actors to spread it. It comes with a distinct delivery method as the infection method takes place over many stages before the final payload is executed. You won’t believe that even the email gate-away scanners are not able to cut through the different layered approach.
ZIP File Payload
Different zip file structures can bypass secured email gateways. One file shall payload it whereas the rest are decoys that make sure such content goes without any notice.
ISO files larger in files are difficult to scan, plus opening one is as simple as double-clicking on the file. This specific convenience increases the chances of victims clicking on such an attachment.
NanoCore Released v188.8.131.52
A new version of this infamous RAT, dubbed NanoCore version 1.2.2 has resurfaced on the dark web. For $25 a special kit is being sold which comes with a free release. As it comes at a lower price it allows even a broken criminal to launch effective attacks.
This kit has:
- The capability of reverse proxy connection.
- Remote surveillance with desktops, audio feeds, and webcam.
- 24/7 support.
The worse thing is that it is difficult to detect as most of the actions it performs are similar to other operations making it look benign to most teams. Moreover, it is also used to carry precise operations that do not resemble malware techniques, in the essence of pulling light from the eyes of all the IT administrators.
As the result, the businesses bleed money due to security issues, loss of data, hardware damage, and long hours of unplanned downtime.
RELATED READ: Download Sentry MBA Configuration Files.
How To Stay Safe from NanoCore
- We need to educate our employees on best practices regarding security which would help them stay alarmed against phishing scams.
- Do not rely only on the judgment of employees.
- Have a good backup and recovery system to protect a business when things go in a bad direction.
- With spanning one can adopt a robust approach when dealing with RATs, it detection system makes sure that IT administrators are given a clear insight into the backup health of the business. It alerts all the admins by flagging them through emails in case any issues are identified in the files. With this, they take required actions to control the threat before it causes some major damage.
Analyzing NanoCore RAT components
Script file ufj=ked carries commented garbage code. Most code has comments which are disregarded by an interpreter, after cleaning this, script file size came down to 7kb from 203kb.
Following is de-obfuscated code in this script:
The third file is a configuration used by a script that carries a second AutoIT Script and a loader; this is also riddled with garbage values that need cleaning. The following image shows how it looks after cleaning.
Cxf.exe is a copy of Autoit.exe interpreter which runs a malicious Autoit script ufj=ked. When we go back to code ufj=ked and understand how it works, we can see that it is checking for the existing Avast AV process avastui.exe. After this, it finds configuration file qnb.jpg and gets values sK and sN.
If the values are empty then the script terminates. If not then it reads data between (sData) and (esDate) and gets so the value to process the decoder function and execute the script finally. During this, a random file is written to the same directory with data from the configuration file. The new one is also an obfuscated AutoIT script which also sets attributes of the file in the current directory to “read-only and hidden”. This one is familiar to others in older attacks.
NanoCore RAT Download (Latest) 2021 – Top Remote Administration Tool
This was all you needed to know about NanoCore Download and how it operates and infects. This particular remote access tool was also named malware of the month by various security companies due to its infamous spree. It has unfortunately not been kept updated by its creator “Alcatraz” on GitHub but the current one works just as fine as before.