Introduction
NanoCore is a Remote Access Tool (RAT) thats currently available for a $25 license [1]. However, like many other RATs, NanoCore has been used by criminal groups to take over Windows computers. Beta versions of NanoCore RAT have been available to criminals since 2013 [2], and a cracked full version was leaked last year in 2015 [3].
Since then, the NanoCore RAT has been used in targeted phishing campaigns that are subtle and harder to detect [4]. Earlier this year, we saw it used in tax-themed emails as part of an increased distribution of the full-featured NanoCore RAT through phishing [5].
Since then, I havent noticed any public reporting on specific campaigns, even though Ive noticed NanoCore RAT-based phishing emails on a near-daily basis. These recent emails dont seem subtle, and the vast majority of them are blocked. I consider these recent examples malicious spam (malspam). They either have attached zip archives containing an executable file, or they have attached Microsoft Office documents with malicious macros designed to download and execute the NanoCore RAT. One such malspam with a zip attachment was recently sent to my malware-traffic-analysis.net email address. That one was easily caught by my spam filter.
Due to a relative lack of publicly-posted info on recent NanoCore RAT malspam campaigns, I thought Id examine the email I received for today" />
Shown above: The malspam.
The malspam was a fake purchase order, spoofed to seem that it came from Media6, a company that specialized in Point of Sale (POS) marketing.
- Date/time: 2016-10-18 17:49 UTC
- From: simon@pph.com.my
- To: admin@malware-traffic-analysis.net
- Subject: TKP-PO 332-2016131023
- Attachment (zip archive): TKP-PO 332-2016131023.zip
- Malware from the zip archive: TKP-PO 332-2016131023.exe
Examining the email headers, we find the email came from a mail server at ps1.700tb.com on 119.18.103.60. The sending email address may or may not be spoofed." />
Shown above: Email headers for the malspam.
The malware
As far as malspam goes, the attachment isnt anything tricky. Its just an executable file in a zip archive. These types of emails can easily be blocked by most corporate email filtering. And why would you have an icon for the Chrome web browser for a file thats supposed to be a purchase order? That just doesnt make sense to me.
- File name: TKP-PO 332-2016131023.exe
- SHA256 hash:" />
Shown above:" />
Shown above: Callback traffic from an infected host shown in Wireshark.I checked the traffic against Snort 2.9.8.3 using the Snort subscription ruleset, and I also checked it on Security Onion running Suricata with the ET PRO ruleset. The Snort ruleset showed alerts for NanoBot activity (a botnet with hosts controlled by the NanoCore RAT)." />
Shown above:" />
Shown above: Alerts from the ET and ET PRO rulesets.em>Final words
p>The NanoCore RAT is a tool that has been used in targeted phishing attacks, but Ive noticed it in daily waves of what appear to be malspam. In fact, my publicly-known blog email address got hit with an example. That leads me to believe most of the threat from NanoCore RAT is through mass distribution.With proper filtering, these emails are easily blocked. With proper network monitoring, traffic from an infection is easily detected. I figure these waves of NanoCore RAT-based malspam are geared towards home users and anyone else without sufficient security controls.
---
Brad Duncan
brad [at] malware-traffic-analysis.net[1] https://nanocore.io/purchase/
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
[2] https://www.digitrustgroup.com/nanocore-not-your-average-rat/
[3] https://www.symantec.com/connect/blogs/nanocore-another-rat-tries-make-it-out-gutter
[4] http://blogs.cisco.com/security/talos/sysadmin-phish
[5] http://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/