NanoCore: An overview of the Remote Access Trojan’s capabilities

• NanoCore RAT has been used in attacks against energy and gas firms in Asia and the Middle East.
• The latest variant of the NanoCore trojan is capable of stealing browsing information from over 25 different web browsers, stealing credentials from 15 different email and file transfer clients, and scanning for popular remote admin tools like SSH, VNC, and RDP.

NanoCore is a Remote Access Trojan which was first spotted in 2013. Since then, it has been available in the Dark Web. This trojan can be modified by its users as per their needs. Kaspersky Lab reported that NanoCore RAT is one of the third most widespread RATs that attackers can easily modify for different purposes. This RAT has been used in attacks against energy and gas firms in Asia and the Middle East.

Arrest of the NanoCore author

The malware author of NanoCore, Taylor Huddleston was arrested in July 2017 and sentenced to 33 months in prison for developing the malware for the use of malicious intent. This RAT was being used to spy on webcams and steal passwords from infected systems.

NanoCore variant leaks

• The trojan’s Alpha version was leaked in December 2013
• The next year, the trojan’s Beta version 1.0.2.0 was leaked.
• Beta version 1.0.3.0 was leaked by multiple sources in March and April 2014 and version 1.1.0.7 was leaked in July and August 2014.
• Finally, full version 1.2.2.0 (premium plugins) was leaked in March 2015.

New NanoCore variant

In January 2019, a new version of NanoCore RAT dubbed ‘NanoCore 1.2.2.0’ was spotted targeting Windows systems. This variant is capable of registry edit, process control, upgrade, file transfer, keylogging, and password stealing.

An updated NanoCore variant was spotted using Google Sheets for propagation. Attackers bypassed Google security filters by injecting malicious code in CSV files to distribute this malware.

NanoCore distributed via ISO disk image files

Researchers observed several malspam campaigns distributing the LokiBot and NanoCore trojans since April 2019. The spam emails include an ISO disk image file disguised as wire payment message. Upon opening the file, Lokibot and NanoCore trojans were dropped on the victims’ computers.

The latest variant of the NanoCore trojan used in this campaign is capable of stealing browsing information from over 25 different web browsers, stealing credentials from 15 different email and file transfer clients, and scanning for popular remote admin tools like SSH, VNC, and RDP.