This repo includes the technical analysis of a commercial RAT which is easily available on black market for cheap price. NanoCore is a famous Remote Access Trojan malicious software that has its own client builder and multiple delivery methods.
<iframe src="NanoCore_1.2.20.pdf" width="600px" height="750px"></iframe>
In this repo, the original sample of NanoCore 1.2.2.0 is provided along with its extracted stages samples. The password is "infected" for all archieves.
| TTP | Description | Code | Detection |
|---|---|---|---|
| Credential Access: Input Capture: Keylogging | NanoCore has keylogging capabilities in its surveillanceEx plugin | Code | Rule/Query Coming Soon! |
| Privilege Escalation: Scheduled Task/Job: Scheduled Task | NanoCore uses task scheuduler in a unique way to escalate privileges | Code | Rule/Query Coming Soon! |
| Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | NanoCore achieves persistence by abusing windows Run Registry Keys | Code | Rule/Query Coming Soon! |
| Collection: Clipboard Data | NanoCore steals clipboard data by setting itself as a clipboard viewer | Code | Rule/Query Coming Soon! |
| Collection: Data from Local System | NanoCore steals DNS records from the DNS cache of victim system | Code | Rule/Query Coming Soon! |
| Impair Defenses: Disable or Modify Tools | NanoCore prevents security tools from terminating the process without crashing the system, effectively disabling their ability to mitigate the threat | Code | Rule/Query Coming Soon! |
| Defense Evasion: Subvert Trust Controls: Mark-of-the-Web Bypass | NanoCore can bypass Mark-of-the-Web by deleting Zone.Identifier tags | Code | Rule/Query Coming Soon! |
| NanoCore execute its stage2 malware by extracting it from the resources and injecting it inside another instance of stage1 process using Process Hollowing | Code | Rule/Query Coming Soon! | |
| Command & Control: Non-Application Layer Protocol | NanoCore creates RAW sockets for c2 communication and data exfiltration | Code coming soon... | Rule\Query coming soon... |
Note: Artifacts & code of this repository is inteneded for educational purposes only!