What Is Nanocore Malware?
Nanocore is sophisticated second-stage malware classified as a Remote Access Trojan (RAT) that provides attackers with Remote Code Execution (RCE) on a victim’s system. Nanocore is usually delivered via infected Microsoft Office documents but has been observed to be delivered with more sophisticated methods, such as in encrypted .zip/.zipx files, .iso disk image files, and binary image files, to evade endpoint security products.
Nanocore gives an attacker direct access to the compromised system to execute objectives manually. But the malware’s modular, plugin-based architecture allows even novice threat actors to quickly configure automated exploits, including file exfiltration, keystroke logging, screenshot exfiltration, and other hardware exploitation capabilities like webcam and microphone surveillance. Credentials stolen by Nanocore are typically used to compromise local network or cloud-service accounts further or are sold on the Dark Web.
First observed in 2013, Nanocore has seen several version updates since its inception and continues to be maintained by a community of developers. In 2017 the FBI tracked down and arrested Nanocore’s leading developer, who was sentenced to 33 months in prison for violating the Computer Fraud and Abuse Act. Unfortunately, the imprisonment of Nanocore’s leader did not stop the malware’s continued development and propagation; in 2021, Nanocore was rated as a top malware strain by CISA and is considered high-risk.
How Nanocore Works
As a second-stage exploit kit, Nanocore is introduced to a victim’s system by first-stage downloader malware as part of the initial exploit. These initial access attacks predominantly use social engineering tactics such as email phishing to bait a victim.
During its first execution, Nanocore:
- Injects itself into RegAsm.exe using a technique known as process hollowing to execute its primary payload with a high privilege level
- Installs malicious executable (.exe) files in the victim’s home directory
- Adds itself to the Windows Registry Run keys to maintain persistence even after a reboot
- Establishes communication with a command and control (C2) server to receive relay environment and system architecture
- Attempts to execute on secondary objectives such as sensitive data exfiltration, monitoring and surveillance, deploying ransomware, and further network enumeration and lateral movement
Nanocore is especially noteworthy for its modular design, allowing threat actors to integrate pre-built plug-ins to perform various malicious activities quickly.
An Abbreviated List of Nanocore’s Plug-and-Play Capabilities
- Keystroke and screenshot exfiltration
- Audio and video capture surveillance
- Remote code execution via remote C2C interface
- Reverse proxy connection
- Sensitive file identification and exfiltration
- Ransomware deployment
Signs of a Nanocore Attack
Because Nanocore includes features to avoid detection, it is challenging to detect post-compromise. Nanocore will hijack legitimate processes to hide itself.
Some versions of Nanocore will place .exe files in a user’s home directory or temp directories. These files are similar to other forms of malware that use random values for filenames, such as ccgkcf.exe. They are indistinguishable from other forms of malware without further reverse compiling and analysis.
In early 2020 security researchers noted that COVID-related phishing campaigns caused a threefold increase in spam volume. Nanocore was implicated as the strain of malware linked to many attacks.
How to Prevent a Nanocore Attack
Preventing a successful attack using a sophisticated strain of malware such as Nanocore requires a defense-in-depth approach in which multiple defensive tactics must be in place simultaneously, including:
- Preventing first-stage malware from gaining initial access
- Implementing robust network security configurations with the ability to monitor network activity for indicators of compromise (IOCs)
- Implementing Endpoint Detection and Response (EDR) technologies with the ability to prevent attacks before they can execute
- Detecting, analyzing, and responding to any IOC throughout the network
- Maintaining well-rehearsed Disaster Recovery Plans (DRP) and a robust backup strategy
Some specific activities that can help prevent a Nanocore attack include:
- Implement strong network security, including least-privilege access, role-based access controls, multi-factor authentication, and defense-in-depth to reduce the potential damage of stolen credentials
- Develop and maintain a strong backup strategy to ensure resilience against ransomware attacks
- Install and configure endpoint security products that will scan encrypted documents immediately after they are unencrypted
- Implement Zero Trust solutions wherever possible, giving priority to critical systems
- Ensure Office applications are configured with Disable all macros without notification or Disable all except digitally signed macros settings
- Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents