NanoCore RAT: It’s Not 100% Original
A few days ago, a cracked full-version of the NanoCore Remote Access Trojan (RAT) tool was leaked.
With scarce existing documentation of NanoCore we decided to investigate ourselves NanoCore’s core set of features and techniques. (We do this as part of enSilo’s development of the best endpoint security software.) What we found was that although this RAT is highly sophisticated, its authors weren’t keen to totally re-invent the wheel. In fact, one of NanoCore’s unique features – password retrieval – uses another tool, NirSoft, a web freeware also commonly used by threat actors.
NanoCore is one of the more sophisticated RATs out there, developed in .NET. NanoCore’s feature list includes remotely taking full control of a computer, recording the computer’s video and audio, recording user keystrokes, stealing passwords, extracting files from the computer and more. Most recently, NanoCore was spotted in campaigns against energy companies in Asia and the Middle East. Victims are infected in a myriad of ways, the most common method is through an email attachment.
While NanoCore is typically purchased in limited versions on the underground, this cracked version – as leaked by security researcher, Alctraz3222 - enables anyone with access to NanoCore to also use the premium plugins that come with it for free.
As with any cracked version of a RAT which enables threat actors to use any one of these features for free, we’re bound to see a spike in the usage of NanoCore in the upcoming months.
An Overview of NanoCore through the Eyes of a Threat Actor
As a first step, we decided to look at NanoCore through the lenses of a threat actor:
After unpacking the archive the threat actor is presented with the NanoCore package – i.e. the RAT’s directory tree (Figure 1):
Figure 1: The NanoCore Package
As shown, there’s support for 32- and 64-bit Windows systems, a directory for plugins, files for configuration and settings, etc.
Looking into the Plugins directory, we can see the whole feature set of NanoRAT – from browsing files on the victim’s computer to capturing keystrokes (Figure 2). We also found the customizable plugins.
Figure 2: NanoCore’s list of plugins
We’d like to note that an earlier version of NanoRAT that we had analyzed in the past also included an external Distributed Denial of Service (DDoS) plugin (Figure 3). This DDoS plugin enabled the threat actor to use the victim’s machine as a proxy to bring down a third-party server.
That said, the particular version we’re describing in this post lacks the particular DDoS plugin.
Figure 3: Previously-released NanoCore DDoS Plugin (taken from a research forum)
Once the attacker chooses the desirable plugins, the configuration and setting, the threat actor can go ahead and build the actual executable that will run on the victim’s machine (Figure 4).
Figure 4: NanoCore’s Builder
Once the victim is infected, the NanoCore C&C dashboard displays the usurped machine (Figure 5).
Figure 5: The listing of the infected machine in the C&C dashboard
With the infected machine under the control of the threat actor, the threat actor can perform any one of its chosen nefarious activities, such as capturing screenshots of the victim’s computer (Figure 6) or recording audio files (Figure 7), and sending these back to the C&C server.
Figure 7: Remote audio control of the victim’s microphone
One of NanoCore’s core feature is password retrieval. This feature enables the threat actor to steal passwords from numerous email clients and from a handful of the most common Web browsers – including Internet Explorer, Chrome and FireFox.
What’s interesting about this feature is that it most likely uses the password retrieval code from elsewhere. The origin of this tool seems to be taken from NirSoft – a collection of freeware tools for computer health, network monitoring, Outlook tools, etc. NirSoft is distributed to all, and as far as we can tell, branded as legitimate software. However, since the offered tools are efficient and are freely available, NirSoft’s tools have become popular amongst threat actors.
In particular, we noticed common code between NirSoft’s “WebBrowserPassView” and NanoCore’s password retrieval feature. According to the NirSoft site, “WebBrowserPassView” is a “password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera. This tool can be used to recover your lost/forgotten password of any Website, including popular Web sites, like Facebook, Yahoo, Google, and GMail, as long as the password is stored by your Web Browser.”
Ironically, at the bottom of the extensive tool description there’s a short comment regarding licensing (italics, ours): “This utility is released as freeware. You are allowed to freely use it at your home or in your company. However, you are not allowed to make profit from this software or to charge your customers for recovering their passwords with this software, unless you got a permission from the software author.
You are also allowed to freely distribute this utility via floppy disk, CD-ROM, Internet, or in any other way, as long as you don't charge anything for this. If you distribute this utility, you must include all files in the distribution package, without any modification !”
Getting Technical: How We Identified the Common Code
We realized that the RAT was loading an additional executable in order to perform the password retrieval. That peaked our interest since apart from this executable, the whole RAT seems to have been written in original and native .NET code.
In a nutsell, we figured that the NanoRAT installed on the victim’s machine runs Microsoft’s Visual Basic Compiler (VBC) and swaps the code of VBC (what's called the process image) with that of the Password Retrieval application. Analyzing the memory contents, we saw some unique parameters. A quick Google search revealed that these parameters – and other pieces of code- were identical to those in NirSoft’s password recovery tool.
Figure 8: NanoCore’s Password Retrieval Capability
As a host process, NanoCore uses the “Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe” (32bit) (Visual Basic Command Line Compiler) process (Figure 9).
Figure 9: The host process details as shown by ProcMon
What we further saw was the NanoCore dropper (i.e. server.exe) starts a vbc.exe process with a “/shtml” parameter.
A quick Google search revealed that NirSoft’s WebBrowserPassView tool contains a “/shtml” command line parameter (Figure 10).
Figure 10: NirSoft’s WebBrowserPassView contains /shtml as a command-line parameter
In other words, vbc.exe is a zombified process that hosts NirSoft’s WebBrowserPassView tool which runs with the “/shtml” command-line parameter.
When dumping the zombified vbc.exe process and comparing its strings with those of NirSoft’s WebBrowserPassView tool we see that the strings are identical (Figure 11, Figure 12):
Figure 12: NirSoft’s WebBrowserPassView string found in the vbc.exe memory
NanoCore is undoubtedly one of the more sophisticated RATs out there. Given that NanoCore’s premium features are now freely available, we predict we’ll start seeing the its usage in future cyber-attack campaigns.
As a first step in defense, understanding how the RAT incorporates other programs can help security professionals to better enhance their protections. That said, with documentation and analysis lacking, NanoCore is still a RAT that requires further investigation by researchers.
enSilo knows malware protection. Schedule a demo to find out more.