NanoCore Is Not Your Average RAT
In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports.
DigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.
What Is NanoCore?
The NanoCore RAT has been on the radar of threat actors and security experts since 2013. Several beta versions of NanoCore surfaced on the dark web between 2013 and 2014 before the most recent version was released in March 2015. This current version of NanoCore has expanded beyond the dark web and is readily available online.
Whether the original intent of NanoCore was to be a free tool for intrusions or a paid piece of software to be used legitimately is unknown.
Whatever the case may be, all current versions of NanoCore appear to have all base plugins and functionality available without restriction. Between NanoCore's availability, the low $25 price point, and the free "cracked" versions found online, the use of NanoCore has spread quickly.
The Homepage of the NanoCore Website
Not A Secret
NanoCore is not a secretive piece of malware. This RAT is available directly from NANOCORE[.]io and even provides free support. NanoCore is what is known as a “modular” RAT, meaning that the threat actor can download and activate additional modules for NanoCore. These additional modules (or plugins) can expand the functionality and performance capabilities of NanoCore.
Features & Plugins
Many RATs are being used and leaked in intrusion forums across the internet; it is important to understand what sets NanoCore apart. There are various levels of threat actor, and not all of them possess the technical skills to write their own malicious software to perform intrusions. Tools like NanoCore are highly desirable to these types of threat actors, and its modular functionality only amplifies the appeal.
NanoCore's Plugin Dashboard
While NanoCore has created base plugins to expand its functionality, the NanoCore “community” have been creating additional plugins for more specific malicious actions. A search for NanoCore plugins online provides pages of results and plugins going far beyond the base plugins provided from NanoCore’s website. Plugins ranging from screen lockers to crypto miners are available for download online.
NanoCore’s Base Plugins
NanoCore’s plugins appear to be included in the base $25 purchase. Once a threat actor has downloaded NanoCore, plugins can be acquired from a link on NanoCore’s website. The free “cracked” versions of NanoCore include all of the base plugins shown here as well. The base plugins available include everything necessary to perform a successful and potentially very damaging intrusion.
Explore the Base NanoCore plugins below
The Core Plugin adds various functions, settings, and information about
the connected systems such as IP addresses, connection speeds, etc.
This plugin provides the adversary access to the firewall, anti-malware tools, and provides additional security information.
This plugin adds functionality such as instant messaging, file uploading, downloading, file execution, clearing memory, and clearing processes.
The Management plugin adds the remote console, registry editor, task manager, and file browser to NanoCore. This is the main plugin allowing for remote access of the connected system's files and operations.
This plugin supports connection to networks, servers, and other devices such as printers and Wi-Fi routers. This plugin adds UPnP, NAT-PMP, and reverse SOCKS 5/4A support.
The Surveillance plugin adds support for remote control of the desktop, webcam, and audio feeds. NanoCore also has support for multiple webcams from a single system at the same time.
Flexible, Damaging, and Popular
With all of this functionality being available even at the base level, NanoCore has become very popular, very quickly. Combining this with the abilities mentioned earlier allow more sophisticated threat actors to build additional plugins that expand NanoCore’s functionality even further. The expansion of NanoCore's capabilities only enhances the damage that could be done.
NanoCore has a simple yet robust user interface that was built as an all-in-one control center. The top portion of the interface window acts as a live feed with various widgets showing network usage, active “clients”, and polling data (reviews) for new plugins.
Along the left side of the screen are NanoCore’s main categories outlining various functionality areas of NanoCore. Additionally, within each main category are up to eight subcategories to aggregate the data and settings.
Explore the main tabs content below.
- Clients TAB
- Builder Tab
- Systems Tab
If an adversary wanted to steal personal files from a computer and then upload additional software to the system, the Client's tab is where they could do this. From this tab a threat actor can view connected systems, IP addresses, system files, activate webcams, etc.
Depending on the type of target or the intent of the threat actor, they may want to customize NanoCore before sending it to a victim. The Builder tab allows for more advanced adversaries to perform this additional customization to NanoCore.
The System tab provides the adversary access to NanoCore's plugins and settings.
Another Look at NanoCore
The functionality the threat actor has may depend on the version of NanoCore that is being used. This alternate version (fig 2) of NanoCore from 2014 shows a variation in the dashboard layout and additional “tools."
How Original is NanoCore?
NanoCore claims that their build is completely new, meaning none of the code has been borrowed from any previous RAT. All claims aside, an article from Bot24[.] com found that not all of NanoCore is completely original.
Noted in the article, the password retrieval feature of NanoCore uses a tool from NirSoft, a site offering free password recovery tools. Whether NanoCore is 100% new or not, it does not reduce
Figure 2 (NanoCore 2014)
DigiTrust and NanoCore
The identification, investigation, analysis, containment and ultimate remediation of RATs like NanoCore takes the skills of dedicated security experts. Anti-virus scanners and software tools alone do not have the ability to root-cause a malicious threat or apply contextual threat intelligence to an intrusion. Most standard modern security software would have allowed the NanoCore laced download to be installed and run without much of an issue.
DigiTrust incident response experts are continuously identifying
malicious RATs that need to have in-depth context applied to be
effectively remediated. Root-causing allows our experts to uncover more
contextual information about RATs like NanoCore. How did NanoCore enter
(or attempted to enter) the system? What has NanoCore accessed? Where
has NanoCore moved within the system? Knowing where a malicious threat
is hiding is valuable, but understanding how it functions is far more
In short, it is not only about remediating NanoCore from an organization. We also need to extract as much threat intelligence as possible to leave that organization better prepared for the future. There are always ways to be better protected and proactive steps that can be taken to minimize the likelihood and impact of intrusions using NanoCore.
Subscribe to The DigiTrust Group
Get the latest updates, information, and security articles from The DigiTrust Group, subscribe today.
The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.