Tuesday, January 17th, 2017
Email phishing is a technique used by digital adversaries to gain access to a target's computer. Examples can be found as early as the mid-1990s and email phishing continues to be a widely used practice to this day. Adversaries will often use social engineering in phishing emails to trick their targets into allowing system access. It can be easier (and more efficient) for a threat actor to gain access through an end user than attempting to break in forcefully.
However, there are ways that individuals without a background in security can help identify potential email phishing attacks. Security processes may offer some level of protection, but recognizing email phishing at the user level is just as important. Let's examine some of the red flags of a potential email phishing attack.
Threat actors may compose their phishing emails to appear as if they are coming from an existing contact. You are more likely to open an email and not question its contents if it is being sent from someone you know. However, adversaries can spoof (or fake) email addresses to trick you into granting them access. One way this is accomplished is by slightly adjusting the domain name in senders the email address.
Here is one example;
Organization Name: ABC Tech
Email Sent From: Jessica McCowen
Real Email Address: JessicaMcCowen@ABCTech.com
Spoofed Email Address: JessicaMcCowen@AABCTeck.com
At a brief glance, the fake domain may go unnoticed allowing the email to slip under the radar. While the name of your contact may be legitimate, this alternate domain could be a red flag.
The first step is to compare the sender's email
address against your known contacts. Check your email contacts and/or
your company directory to be sure the email was sent from a legitimate
contact.
After the contact is verified, compare the email addresses (and
domains) for discrepancies. If there is a noticeable difference, report
the email to your security team so they may investigate it further.
Another step you can take (after verifying the contact) is to call the
sender directly to ask if they sent the email. Performing these simple
checks will help keep your email and organization a little safer.
Digital adversaries can use attachments to deliver malware and other malicious payloads. Almost any type of file can be attached to an email, and most people are programmed to open them. Adversaries may model an attachment to resemble others that were previously sent, such as a resume or an invoice. You should be cautious with attachments and take a few precautionary steps before downloading any documents.
The first thing you can do is examine the attachment name and file type for any discrepancies. If the name or format of the attachment does not seem to match up, it is better to cautious. After verifying the sender, contact them directly and confirm the time the email was sent, the attachment name, and file type.
Possible Discrepancy Example; DavisSmithInvoice.PDF vs. newInvoice1.Docx?
You should also check that the program icon and the corresponding file extension matches up. Every file has a default icon and an extension indicating the file type, such as a Word document, PDF, or zip file. If the attached file is a Word document but has the extension of a zip file, this could be a malicious attachment. It is unlikely that the program icon and the corresponding extension will not match.
For a standard Word document, the icon extension will be .Docx (or .Doc). A mismatched extension (such as .pdf or .exe) could indicate the attachment is hiding a malicious payload.
Most people have opened emails containing a link to a product, an invoice, or to process a payment. Threat actors can exploit this practice to trick you into downloading a malicious payload. If you have clicked a link and you are being asked to “sign in” using your email or social media account, this is a red flag. When receiving a link to an invoice or a downloadable form, it is better to be cautious. Double check that the URL has directed you to the proper location.
You can train yourself not to assume every site, or link you visit is legitimate. If a link looks like a Flash Player update but the URL reads www.updateEEE.com, it is better to close the link and not proceed. Anytime you need a software update; it is safer to visit the host site directly to look for your update (such as Adobe.com).
The structure of an email can be a
If you do not know the sender, the context, or even what the email is directly referring to, you should contact your security provider to examine the email. Security experts can investigate phishing emails to gather valuable threat intelligence about who may be targeting your organization.
Sometimes a Word document (for example) contains content that is only viewable by “enabling macros.” Microsoft Word will prompt you to perform this action with the notification below.
Adversaries can hide the trigger to activate and run malicious software into this action of enabling macros. This is one-way threat actors can trick you into installing malicious software on your system. In the Kill Chain, this is called “exploitation.”
If you are receiving a prompt to enable macros, ask the (verified) sender for another version of the file that does not require this action. Again, check the body of the email and the attachment relevancy before downloading anything. You can also contact the sender directly to be sure there is a reason for the macro enablement. Nothing is 100%, but it is better to be safe than assume anything.
Let’s examine the use of a spoofed or faked URL more closely. If a threat actor wanted to send you a malicious link pretending to be PayPal, they could not use a functioning URL such as www.PayPal[.]com. However, an adversary could use a URL that looks very similar such as Pay_Pal_info[.]com or PayyPall_info[.]com. If you are not paying attention, these fake URLs might pass as the real thing. Attempting to use a malicious link could result in dangerous malware being downloaded onto your system.
Checking the legitimacy of a URL is not too complicated. You can open a new web browser, search for the company's homepage, and examine URL of the organization in question (PayPal, Adobe, Etc.). If the home page URL is PayPal[.]com, supplementary information or updates will usually stem from this URL (PayPal.com/info). If the link or site provided to you is not following this format, this is a red flag.
Information is what threat actors are usually after. Any piece of information obtained can potentially lead an adversary to another point of access. Information like your mailing address, passwords, or account numbers should not be sent over email. Threat actors can use even small pieces of information, such as a zip code, and leverage that information against you.
You should never provide personal information over email. There are very few exceptions to this rule. If an adversary obtains your personal data, they could pivot their intrusion efforts and target other connections in your network. As a general rule, you should not provide any personal information, account numbers, or passwords over email.
An email welcoming you to a new organization or claiming to be “John in sales,” could be an adversary using social engineering. Most of us have experienced the feeling of trying to remember the name of somebody who seems to know us. Digital adversaries can utilize this same approach in phishing emails. You may assume the sender is someone you met in passing as you proceed with trying to assist them.
You should ask who they are, plain and simple. There is nothing wrong with asking for clarification as to who a sender is, who their supervisor is, or what department they are in. This is especially true if you are new to an organization that may have 100’s or even 1000’s of employees. You should not assume anything and ask for clarification as to who the sender is before proceeding.
An email with a clean and robust signature can trick you into a false sense of security. If you have not heard of the company or the individual, you should not assume that either is real. How many adversaries would go through the trouble of creating a fake name, LinkedIn profile, or company website? The answer may be far more than you may think.
When researching a company or an individual, you will need to do more than visit their website. Examine their social media profiles including the company and sender LinkedIn pages. Lacking or minimal company information, missing profile photos, and/or low connection counts (usually 10-50) are all red flags. If information is not readily available, chances are the email may be a phishing attempt.
At the end of the day, you know the types of emails and messages you receive on a daily basis. If anything just feels off, you should assume that it is. When emails are a staple of your business communication, you become attune to the various tones that senders have in their emails. If the tone of a sender is usually professional and your next email from them is overly casual, this should seem “off” to you.
If anything feels off, do not hesitate to confirm with the sender directly or contact your security team to examine a suspicious email. Taking a few precautions could keep your organization from experiencing a serious intrusion that could cost millions to recover from.
Unfortunately, phishing is not going away anytime soon, so it is better you are prepared for what may come your way. As security professionals, we see the pain these phishing emails can cause on a daily basis. As much as we want our clients to be protected, we also want them to be informed. Responding to an intrusion is a job for the dedicated security team, but individual efforts can help reduce the likelihood of an intrusion.
Most intrusions still come down to the unintentional actions of individuals. When it comes to spotting phishing emails, watch for these red flags and keep your security team notified of anything suspicious. In short, taking a little more time examining your emails can help prevent your organization from being the victim of an email phishing attack.
Want to learn more about DigiTrust’s managed security services? Our experts are always available to answer your questions. You can call us directly at (310) 696-4500 or by using the form below. If you are experiencing an intrusion from a phishing email, click the box to below to learn more about our incident response services. Thank you for visiting The DigiTrust Group.
Posted in The DigiTrust Group BLOG | No Comments »
Thursday, January 12th, 2017
In June of 2015, incident response experts at DigiTrust were alerted to a phishing email sent to one of our client organizations. The email contained a link to an order form which was downloaded and opened by an employee. The innocent looking document was not only weaponized with a malicious payload but also contained something new our experts had not seen before.
The malicious payload was called Agent Tesla, a keylogger that could capture keystrokes and email them back to the threat actor. The further our incident response team investigated, the more apparent it became that Agent Tesla was much more than a standard Keylogger.
Agent Tesla many features that have not been seen in keyloggers before.
Agent Tesla is a relatively new piece of malware used for tracking keystrokes on a victim's computer. The malware can be secretly used by adversaries to collect account information, usernames, passwords, and credit card numbers. Although keyloggers are not built to extract files or remotely provide access a system, any information typed into documents, browsers, or messaging apps can be recorded. Threat actors can take “snapshots” of keystrokes and see everything that has been typed, searched, or accessed. While Agent Tesla can perform standard keylogging functions, it also has features that set it apart from similar pieces of malware.
Tesla has been growing in popularity for a variety of reasons including availability and price. Agent Tesla is readily available, and pricing varies depending on where the threat actor finds it online. From forums claiming to have free “cracked” versions to www.AgentTesla[.]com providing access ranging from $9-$30, Agent Tesla is not difficult to acquire. Threat actors downloading the keylogger directly from Agent Tesla’s website receive 24/7 support and software updates.
Threat actors are provided with 24/7 support, updates, and a Skype contact for assistance.
The delivery of Agent Tesla onto a victim’s computer is often accomplished through phishing, or sending emails with an infected attachment. Agent Tesla also has a feature that allows it to autorun from a USB stick. Currently, Agent Tesla can only be used on Windows operating systems (all versions) while use on other platforms such as Mac or Linux is not an option.
Searching for Agent Tesla online returns pages of results providing access to or discussing Agent Tesla. When we begin to examine Agent Tesla's features, it becomes clear that this keylogger is more robust than
The list of features and options for Agent Tesla is extensive. For clarity and cohesiveness, we have outlined some of the core features and functions in this article. While keyloggers were once only known for capturing keystrokes, Agent Tesla has expanded its capabilities far beyond the standard.
Click the tabs below to learn more
The ability to do more than just record keystrokes is beyond the standard functionality of most keyloggers. Agent Tesla has a "downloader" feature, allowing the adversary to download and run files on a victim's system. This feature alone shows that Agent Tesla could be used for more involved intrusions than a standard keylogger.
There are two main pieces to using Agent Tesla. The first is the interface allowing for customization of Agent Tesla's functions.
If a threat actor wants to customize Agent Tesla before sending it to a potential target, this interface allows them this flexibility. From the visibility of the install to how the victim will interact with Agent Tesla is controlled from this interface.
The second piece is the actual dashboard of Agent Tesla. The threat actor monitors the connected systems and controls Agent Tesla from this dashboard. The dashboard is a command center, and the adversary is at the controls. Let’s take a look at both the interface and the dashboard.
Agent Tesla needs to be enabled (turned on) by the target themselves; this can require a level of obfuscation. Agent Tesla can create a false message to trick the target into providing access. The false message might read “Update Adobe Flash Player,” after the target clicks “ok” they have just told the computer to “install Agent Tesla.”
The following shows how Agent Tesla can create a fake pop-up message to deceive a target. The threat actor can create a heading (#1), a message for the pop-up box (#2), and can even include a particular icon (#3). The result is a fake pop-up message used to trick the victim into installing Agent Tesla.
The dashboard is a single window with simple navigation tools providing the adversary a clear view of their connected “clients."
All collected information such as keystroke logs (#1), time stamps (#2), and IP addresses (#3) can be found in the dashboard. The column on the left side of the dashboard allows for quick access to collected passwords, screenshots, and keystrokes (#4).
Agent Tesla will keep logs of the victim's keystrokes and where those keystrokes occurred.
If the victim opens Notepad, Outlook, or even Facebook, the blue text tells the adversary where these keystrokes were made. Standard black text with no formatting will indicate the actual written text of the victim, such as a username or password. The final indicator color is green; the green text shows the function keys that were used.
The ability to automate may be one of the most dangerous features of Agent Tesla. An adversary can automate the keylogger to take snapshots of keystrokes, the desktop, and webcam images at timed intervals. If the threat actor wanted to take a snapshot every 10 minutes, Agent Tesla could do just that. The adversary can view what was collected in the Agent Tesla logs (or via email) and keep the information they find most valuable.
Although Agent Tesla is not completely hands off, any level of automation can make collecting information faster and simpler for adversaries. Automation, interface simplicity, and advanced features are just some of the reasons Agent Tesla’s use has expanded in 2015 and 2016.
To protect against Agent Tesla, we need to be cautious in opening our email attachments or visiting unknown web links. However, if a keylogger was already inside the system, what would we do? How would we know? When we begin to ask these questions at the enterprise or organizational level, the answers can become much more involved. With malware like Agent Tesla having the ability to download and run additional malware, the possible damage extends beyond collecting keystrokes. Although there are several pieces of software claiming to be able to find keyloggers, these tools are not able to establish any situational context to understand how deep the intrusion may go.
Full automation in information
security is not yet a reality, which is precisely why security software
may only eliminate the symptom as opposed to alleviating the root of the
problem. Automated security software cannot determine or evaluate the
context behind an intrusion. Security experts need to build as much
context as possible around incidents involving malware like Agent Tesla
to effectively investigate, contain, and remediate.
By performing incident response, we can understand the complete who, what, when, where, and why of Agent Tesla within a victim's system. The ability to root-cause provides a better chance of a thorough recovery and better protection against such intrusions in the future. DigiTrust’s people, processes, and technology are dedicated to not just finding the needle in the haystack, but getting to the root of intrusions like Agent Tesla and eliminating it.
To learn more about DigiTrust’s managed security and consulting services you can contact us using the form below or call (310) 696-4500.
The DigiTrust Group is a managed security services firm that focuses
on using advanced people, processes, and technology to proactively
provide the highest level of information security at our client
organizations. We do this by actively identifying, blocking, and
researching attackers hitting our client organizations. In short, we act
as a security operations center (SOC) for organizations that either do
not have a SOC or require augmented SOC functionality.
Posted in The DigiTrust Group BLOG | No Comments »
Tuesday, January 10th, 2017
It Was a Friday...
It is a Friday like any other. With coffee in hand, you sit and check the results of your anti-virus security scans. Three alerts have been raised, two have been “quarantined” and the other “cleaned”. You dig in and find two malicious files, you delete them, and rescan. No alarms.
It’s a good thing your anti-virus caught these threats early and the issue was contained…or was it?
Did your anti-virus catch it on the way in or on the way out? Was the malicious software actively harvesting data or was its job already done? Was it just lying dormant? Did it move laterally through your organization and what triggered your alert was only the tip of the iceberg?
What is Incident Response?
Anti-virus tools are just that, tools.
Incident response means moving away from solely relying on tools or software to magically resolve incidents, and instead, focusing on using people, process, and technology to establish much-needed context.
Establishing Context
Where do information security experts gain this
context? We study our adversaries in a very methodical way. This
dedication to understanding their adversarial tradecraft is the critical
link that allows us to establish context. To disrupt or deny the
adversary, we place ourselves in the mindset of these threat actors to
understand what allows them to function as they do.
The threat actor’s
goal is to seek out valuable information that can be leveraged,
harvested, sold, or even held for ransom. They follow certain processes
and procedures; they invest their time and resources into opportunities
that will yield them the greatest return on their efforts.
The Kill Chain®
The information security industry refers to the threat actor’s process as a Kill Chain®, a term coined by Lockheed Martin. The earlier the Kill Chain® can be disrupted, the less chance the threat actor has to execute on his objectives. Let’s take a look at the Kill Chain® and the process a threat actor goes through to access an organization.
The Kill Chain®
1. Reconnaissance: Understanding the Target
The threat actor begins with reconnaissance. The threat actor will often crawl websites gathering information such as email addresses, social media connections, or specific information on your organization’s technologies or processes.
The goal for the attacker is to gather any valuable information that will offer an access point to the target organization.
2. Weaponization: Arming the Payload
What exactly does this malicious threat actor use to gain access? The answer comes in the form of weaponization. Much like the military and camouflage, threat actors don’t want to be noticed.
They want to pair their malicious payload with something that appears normal and benign. A PDF attachment or a standard Word file can be used to camouflage malicious payloads, for example.
3. Delivery: The Path Inside
The threat actor has his weaponized payload and now he needs to deliver it. How is the payload delivered into your system when you are already taking security precautions?
Threat actors will pair their payloads with actions you take every day, such as checking your email or visiting a website. Both of these normal processes can be a gateway for the threat actor.
4. Exploitation: Flipping the Switch
Exploitation is what flips the switch, making the threat active. This could be as simple as opening a macro-enabled Word document, which can execute embedded malicious code.
5. Installation: Building a Back Door
Malicious code is now running on the system. The payload can begin installation of an implant, allowing access and the ability to maintain position within your environment.
This essentially acts as a “backdoor” allowing the threat actor to enter and exit your system whenever he pleases.
6. Command and Control: Taking the Wheel
The installed implant now needs to connect to an operator, or in this case, connect to a system that allows manual or programmatic control of the threat.
Once the connection is made, access is granted. The threat actor now has the platform in place needed to begin executing his objectives.
7. Actions on Objectives: Access Granted
The attacker can now begin executing his objective. This may include using the primary access system to move laterally into other systems within your network.
The following is a look at how a threat actor could utilize this Kill Chain® to gain access to your organization.
So where in the Kill Chain® did your anti-virus alert your team?
You can quickly see the level of investigation the incident response team must be able to undertake. Each link of the chain must be identified. The point of detection (or Kill Chain link) will determine how incident responders should proceed to contain and remediate.
Anti-Virus may sound an alert, but knowing where the threat was found, how long it has been present, where it came from, its intent, and what it has accessed is imperative to successfully closing the loop.
Incident Response vs. Anti-Virus
Due to the automated nature of anti-virus systems, the ability to contextualize and root-cause threats is beyond the reach of anti-virus tools. Applying incident response to an alert requires understanding the paths threat actors travel and their intent. While a “quarantined” anti-virus alert may offer
Incident Response Final Perspective
To learn more about DigiTrust’s managed security and consulting services you can contact us using the form to the right or
call (310) 696-4500
The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.
Posted in The DigiTrust Group BLOG | No Comments »
Thursday, January 5th, 2017
In May of 2016, DigiTrust was alerted to some malicious activity in one our client organizations. The investigation revealed that a host on the client's network might have been exposed to an unknown threat while visiting a malicious web domain. Incident response experts were able to locate a Remote Access Trojan (RAT) hidden within the client's system.
Peeling back the layers revealed this to be a newer type of RAT built in Java called
QRAT is a Java-based variation of what is known as a RAT or Remote Access Trojan (or tool). A RAT is used by threat actors to gain remote access to a system, usually to harvest valuable information. IT teams have similar remote access tools they can use to connect to a computer remotely when attempting to fix a system issue. In the case of QRAT, whatever the victim can access, a threat actor can also access from anywhere in the world, except the victim won’t even know they are there.With QRAT installed, the threat actor has created a backdoor providing them access to the victim's valuable information. With this backdoor, the threat actor can explore files, capture logins, run programs, activate webcams, and much more.
QRAT was introduced in May of 2015 and marketed as an “undetectable Java Rat” by
What makes QRAT different than a standard RAT? Functionality, usability, and construction. Threat actors could initially purchase access to QRAT online as a SaaS solution (Software as a Service). The same process someone might use to access Microsoft Office 365 or Salesforce, QRAT works in a similar way. Threat actors could visit the
QRAT was designed to be user-friendly, appealing to both sophisticated and non-sophisticated threat actors alike. The user interface looks similar to a Customer Relationship Manager program (CRM) that any organization may use and offers an abundance of controls. From this single pane interface, a threat actor can clearly see all of their "client" systems that are connected. Digital adversaries have a multitude of actions they can take on any connected system with just a few clicks of their mouse.
What makes QRAT a more of a pronounced risk is the obfuscation it uses to avoid detection. While QRAT is based in Java, QRAT is also hidden under layers of Java encryption when being delivered to a potential target.
This multi-layer encryption makes detection of QRAT much more challenging for systems that are not efficiently monitored. With executable code contained within the Java file, it can be sent directly as an email attachment or compressed into a zip file for delivery. In short, using a Java file or compressing the payload into a zip file only increases the chance of QRAT reaching its target.
Payload Delivery Option: Phishing
After the ZIP file is opened and the malicious Java file is clicked:
1. The payload runs decryption instructions allowing the next level to be opened. (Level 1)
2. The next level, containing the (QRAT) repeats this process of decryption to install QRAT.
(Level 2)
3. With QRAT installed and connection to the host made, the actor now has remote access to the system. (Level 3)
From the QRAT interface, the threat actor can see connected IP addresses, upload and download speeds, OS versions, and much more. Files and information can be accessed just as easily as if they were sitting in front of the victim's computer. Adversaries can gather private documents, capture login credentials, access account information, or move laterally through an organization's connected systems. The depth of intrusion possible with QRAT all depends on the intent of the threat actor.
QRAT may be moderately sophisticated in its construction, but it is not difficult to deploy or use. Threat actors of all levels can use QRAT and the damage done is limited only by their intent. The combination of SaaS accessibility, intrusion capabilities, and ease of use, only broadens the appeal to threat actors to add QRAT into their arsenal.
If the threat actor wanted to increase the intrusion capabilities of QRAT, they have the ability to expand functionality with additional plugins. Plugins are software components that add additional functions to QRAT and enable customization. In short, adding plugins allows the adversary more flexibility and a greater level of intrusion possibilities with QRAT. Some plugins available for QRAT include:
As security experts, we look at a very critical timeline: the time from “detection to ejection” of a malicious threat. Depending on the intent of the threat actor, they may find value in prolonging their stay within the victim's system. The longer the adversary can remain undetected, the deeper the levels of access they may obtain, including moving laterally to other machines within the network.
DigiTrust uses its defense technologies and incident response experts to make this detection to ejection timeline as limited as possible.
Threat actors continue to refine their tools and methods as quickly as security experts develop techniques to defend against them. This refinement is apparent with the advent of
Understanding the latest intrusion technology and techniques sets The DigiTrust Group apart in the industry. Our evolving threat intelligence fuels the continuous growth of our managed security capabilities across our client community. To provide targeted security and defense, we move beyond identification, extracting the context behind the malicious intrusion whenever possible. Security software tools are powerful, yet results are limited without the application of rich situational context.
The right mix of people, processes, and technology is still required to analyze, investigate, and perform incident response on intrusions that leverage tools such as QRAT. Understanding how QRAT entered the system, what it has accessed, how long it has been in the system, is all critical to effectively root causing the incident. The more we understand about QRAT, the higher the probability that we can prevent intrusions like QRAT in the future.
To learn more about DigiTrust’s managed security and consulting
services contact us using the form to the right or call us at (310) 696-4500.
The DigiTrust Group is a managed security services firm that focuses
on using advanced people, processes, and technology to proactively
provide the highest level of information security at our client
organizations. We do this by actively identifying, blocking, and
researching attackers hitting our client organizations. In short, we act
as a security operations center (SOC) for organizations that either do
not have a SOC or require augmented SOC functionality.
Posted in The DigiTrust Group BLOG | No Comments »
Sunday, January 1st, 2017
NanoCore RAT
In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports.
DigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.
What Is NanoCore?
The NanoCore RAT has been on the radar of threat actors and security experts since 2013. Several beta versions of NanoCore surfaced on the dark web between 2013 and 2014 before the most recent version was released in March 2015. This current version of NanoCore has expanded beyond the dark web and is readily available online.
Whether the original intent of NanoCore was to be a free tool for intrusions or a paid piece of software to be used legitimately is unknown.
Whatever the case may be, all current versions of NanoCore appear to have all base plugins and functionality available without restriction. Between NanoCore's availability, the low $25 price point, and the free "cracked" versions found online, the use of NanoCore has spread quickly.
The Homepage of the NanoCore Website
Not A Secret
NanoCore is not a secretive piece of malware. This RAT is available directly from NANOCORE[.]io and even provides free support. NanoCore is what is known as a “modular” RAT, meaning that the threat actor can download and activate additional modules for NanoCore. These additional modules (or plugins) can expand the functionality and performance capabilities of NanoCore.
Features & Plugins
Many RATs are being used and leaked in intrusion forums across the internet; it is important to understand what sets NanoCore apart. There are various levels of threat actor, and not all of them possess the technical skills to write their own malicious software to perform intrusions. Tools like NanoCore are highly desirable to these types of threat actors, and its modular functionality only amplifies the appeal.
NanoCore's Plugin Dashboard
While NanoCore has created base plugins to expand its functionality, the NanoCore “community” have been creating additional plugins for more specific malicious actions. A search for NanoCore plugins online provides pages of results and plugins going far beyond the base plugins provided from NanoCore’s website. Plugins ranging from screen lockers to crypto miners are available for download online.
NanoCore’s Base Plugins
NanoCore’s plugins appear to be included in the base $25 purchase. Once a threat actor has downloaded NanoCore, plugins can be acquired from a link on NanoCore’s website. The free “cracked” versions of NanoCore include all of the base plugins shown here as well. The base plugins available include everything necessary to perform a successful and potentially very damaging intrusion.
Explore the Base NanoCore plugins below
The Core Plugin adds various functions, settings, and information about
the connected systems such as IP addresses, connection speeds, etc.
Flexible, Damaging, and Popular
With all of this functionality being available even at the base level, NanoCore has become very popular, very quickly. Combining this with the abilities mentioned earlier allow more sophisticated threat actors to build additional plugins that expand NanoCore’s functionality even further. The expansion of NanoCore's capabilities only enhances the damage that could be done.
NanoCore's Interface
NanoCore has a simple yet robust user interface that was built as an all-in-one control center. The top portion of the interface window acts as a live feed with various widgets showing network usage, active “clients”, and polling data (reviews) for new plugins.
Along the left side of the screen are NanoCore’s main categories outlining various functionality areas of NanoCore. Additionally, within each main category are up to eight subcategories to aggregate the data and settings.
Explore the main tabs content below.
If an adversary wanted to steal personal files from a computer and then upload additional software to the system, the Client's tab is where they could do this. From this tab a threat actor can view connected systems, IP addresses, system files, activate webcams, etc.
Another Look at NanoCore
The functionality the threat actor has may depend on the version of NanoCore that is being used. This alternate version (fig 2) of NanoCore from 2014 shows a variation in the dashboard layout and additional “tools."
How Original is NanoCore?
NanoCore claims that their build is completely new, meaning none of the code has been borrowed from any previous RAT. All claims aside, an article from Bot24[.] com found that not all of NanoCore is completely original.
Noted in the article, the password retrieval feature of NanoCore uses a tool from NirSoft, a site offering free password recovery tools. Whether NanoCore is 100% new or not, it does not reduce
Figure 2 (NanoCore 2014)
DigiTrust and NanoCore
The identification, investigation, analysis, containment and ultimate remediation of RATs like NanoCore takes the skills of dedicated security experts. Anti-virus scanners and software tools alone do not have the ability to root-cause a malicious threat or apply contextual threat intelligence to an intrusion. Most standard modern security software would have allowed the NanoCore laced download to be installed and run without much of an issue.
Remediating NanoCore
DigiTrust incident response experts are continuously identifying
malicious RATs that need to have in-depth context applied to be
effectively remediated. Root-causing allows our experts to uncover more
contextual information about RATs like NanoCore. How did NanoCore enter
(or attempted to enter) the system? What has NanoCore accessed? Where
has NanoCore moved within the system? Knowing where a malicious threat
is hiding is valuable, but understanding how it functions is far more
powerful.
In short, it is not only about remediating NanoCore
from an organization. We also need to extract as much threat
intelligence as possible to leave that organization better prepared for
the future. There are always ways to be better protected and proactive
steps that can be taken to minimize the likelihood and impact of
intrusions using NanoCore.
Subscribe to The DigiTrust Group
Get the latest updates, information, and security articles from The DigiTrust Group, subscribe today.
The DigiTrust Group is a managed security services firm that focuses
on using advanced people, processes, and technology to proactively
provide the highest level of information security at our client
organizations. We do this by actively identifying, blocking, and
researching attackers hitting our client organizations. In short, we act
as a security operations center (SOC) for organizations that either do
not have a SOC or require augmented SOC functionality.
Posted in The DigiTrust Group BLOG | No Comments »
