1. Home
  2. Software
  3. NanoCore

NanoCore

NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.[1][2][3][4]

ID: S0336
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 January 2019
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

NanoCore can capture audio feeds from the system.[1][3]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.[2]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

NanoCore can open a remote command-line interface and execute commands.[3] NanoCore uses JavaScript files.[2]
.005 Command and Scripting Interpreter: Visual Basic

NanoCore uses VBS files.[2]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

NanoCore uses DES to encrypt the C2 traffic.[3]
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

NanoCore can modify the victim's anti-virus.[1][3]
.004 Impair Defenses: Disable or Modify System Firewall

NanoCore can modify the victim's firewall.[1][3]
Enterprise T1105 Ingress Tool Transfer

NanoCore has the capability to download and activate additional modules for execution.[1][3]
Enterprise T1056 .001 Input Capture: Keylogging

NanoCore can perform keylogging on the victim’s machine.[3]
Enterprise T1112 Modify Registry

NanoCore has the capability to edit the Registry.[1][3]
Enterprise T1027 Obfuscated Files or Information

NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[3]
Enterprise T1016 System Network Configuration Discovery

NanoCore gathers the IP address from the victim’s machine.[1]
Enterprise T1125 Video Capture

NanoCore can access the victim's webcam and capture data.[1][3]

Groups That Use This Software

ID Name References
G0064 APT33

[5]
G0078 Gorgon Group

[4]
G0043 Group5

[6]
G0083 SilverTerrier

[7]

References

  1. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  2. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.
  3. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  4. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  1. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
  2. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  3. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.