DeMISTIfying Infosec: NanoCore Trojan

March 22, 2016
By Katherine Teitler

The first cracked version was not very advanced, but the second release, leaked in February 2014, included many additional capabilities. Posted to underground forums, cyber criminals began replicating the Trojan and writing and releasing updated versions. The timeline of updates:

• Alpha version leaked in December 2013
• Beta version 1.0.2.0 leaked in February 2014
• Beta version 1.0.3.0 leaked by multiple sources in March and April 2014
• Beta version 1.1.0.7 leaked by multiple sources in July and August 2014
• Beta version 1.1.0.10 leaked in October 2014
• Full version 1.2.2.0 (premium plugins) leaked in March 2015

As new versions are authored then leaked, usage increases in the criminal market. While adversaries can find free versions on the dark Web, paid versions circulate. The low cost (generally $25 USD and under) makes it accessible and attractive to criminals, even when a price is associated.

NanoCore targets energy and utilities companies in the Middle East and Asia but has proven most effective against companies in the US and Canada. Criminals distribute the RAT through malicious emails that spoof emails of a legitimate oil company in South Korea. The authenticity of the emails is convincing, increasing the probability the Trojan will be activated. The delivery mechanism is RTF (rich text format) or Word, and takes advantage of the well-known vulnerability, CVE-2012-0158, which targets older versions of Microsoft Windows Common Controls ActiveX component MSCOMCTL.OCX.

In recent months, using the impending Tax Day in the US as a scare tactic, versions of Trojan.Nancrat have appeared in tax-themed emails requesting the user's "urgent attention." Once downloaded, a malicious .EXE or Word file executes. The exploit manipulates plugins and can install an unauthorized remote desktop capability, log keystrokes, recover passwords, download and install malicious software, edit the registry, modify the firewall, assume control of the computer's webcam or microphone, transfer files, and more.

According to Palo Alto, the plugins available to a NanoCoreRAT sample are encrypted and stored in the resource section of the PE file, which means they are challenging to remove and cannot be altered easily be the owner.

Free removal tools and software do exist and can be downloaded from various resources.

 

prestitial ad