Download NanoCore RAT 1.2.2.0 Full Version Free
Elpidio Heart
NanoCore is a high-risk RAT that provides attackers with details on the device name and OS. This information is used to carry out various malicious activities, such as manipulating confidential files, hijacking webcam and microphone, stealing login credentials and more.
NanoCore comes with base plugins that expand the performance capability of the malware, inciting specific malicious attacks. Since its discovery in 2013, NanoCore has gone through multiple versions over the years.
In 2015, targeted emails were sent to energy companies in Asia and the Middle East by spoofing email addresses of a legitimate South Korean oil company. Attached to the email was a malicious RTF file that dropped the NanoCore trojan.
Generally, malicious spam email attachments like MS Office documents are used to deliver NanoCore malware. But with advanced spam filters, cybercriminals are forced to get creative, and you can bet they are leaving no stone unturned.
PowerPoint files are being used by threat actors to spread NanoCore RAT. The delivery method is very distinct since the infection chain takes place over multiple stages before the final payload is executed. Even email gateway scanners are unable to cut through the multi-layered approach.
Educating employees on security best practices can help them stay alert against phishing scams. With that being said, it would be prudent not to rely solely on the judgment of your employees. A good backup and recovery system needs to be put in place to protect your business when things go south.
In this blog, we will present some findings on how NanoCore RAT 1.2.2.0 is actively being delivered in new and different ways that we discovered at Morphisec Labs in the last couple of months. Specifically, we will focus on the sophisticated fileless methods for delivering the RAT without touching the disk.
NanoCore Malware is a RAT that has become popular in recent years as it is commonly used by threat actors and is believed to be one of the most sophisticated RATs in the market. Since it was discovered in 2013, multiple different versions have been leaked on underground forums. The latest leaked version was 1.2.2.0 in March 2015 and is available online to download for free. NanoCore RAT comes with a few base plugins and the ability to expand its functionality, so threat actors can develop additional features for other malicious actions. There is already a wide range of NanoCore plugins available online that can be used for cryptocurrency mining, ransomware attacks, and more.
Defense solutions have been updated to detect NanoCore malware based on multiple metadata and strings that reside within its Client executable. Going fileless and in-memory gives the adversaries the advantage of bypassing behavior and static scanning attempts without sacrificing functionality.
The most common initial delivery method today is via attachments in spam emails and web download links. Previously security researchers found MS Word documents with malicious auto-executable VBA code and a fake invoice in PDF format that can install the NanoCore RAT.
The first delivery method we identified is using the actual compiler, Autoit3.exe (version 3.3.8.1) which was used by renaming the legitimate AutoIT Script interpreter to cxf.exe to bypass basic script control based solutions. Additionally, the malicious code was executed as a script instead of as an actual AutoIT executable to further evade detection from AV. The malicious script demonstrates advanced support for process hollowing for both 32 and 64-bit architectures, VM evasion, and the use of advanced shellcodes such as RunPE. Here we will investigate the functionality of the script and how it delivers and executes the NanoCore RAT. A similar type of attack was previously reported by TALOS and HornetSecurity, but with a different primary source of the attack and a different file type for the config file.
The third delivery method involves the compilation of the malicious AutoIT script into an executable that includes additional functionality. With this method, the executable includes mechanisms for bypassing user control based on the target OS, extended hollowing capabilities for executing the NanoCore RAT from within different legitimate Windows processes, and more advanced shellcodes that bypass hooks and monitoring.
AutoIT script is a legitimate tool that is used by many IT administrators to automate tasks. At the same time, it is constantly leveraged by malware authors to deliver different types of malware. In March 2018, security researchers at HornetSecurity witnessed an attack where the NanoCore RAT was distributed via a phishing email that had a PDF file with a link that downloaded a self-extracting archive. The archive contained a legitimate AutoIT interpreter that had been renamed, a malicious script, a configuration file with a .docx extension, and many other files with various extensions.
In April 2019, researchers at SonicWall observed a phishing campaign that spread the NanoCore RAT through malicious attachments. The attachments had an iso file that had an AutoIT compiled executable that executed the NanoCore RAT in memory.
The first thing to notice is its obfuscation, which is similar to the main script. After spending a significant amount of time on de-obfuscation, we were able to find some interesting items inside. The script starts with declared global variables, some of which are dword values for registry checks and modifications. Others are for the values obtained from the configuration file. We also noticed that it has some unused variables that might just be included for use in later versions. As soon as this script is triggered, it sets the attributes of files in that current directory to read-only and hidden, just like the previous script. The script then performs different checks and makes modifications to system configuration and registry values. It checks if it is running inside virtual machines or sandboxed applications and if so, it terminates. Otherwise, it disables UAC, system restore points, and task manager and then adds a Windows Update key to the registry and startup for persistency. Finally, if the config file has a URL, it downloads the payload from there. If the config file has raw PE data, it gets a payload from there and injects it into the process memory of RegSvcs.exe using the RunPE technique.
Below are a few images of the code from the script that we de-obfuscated, cleaned, and renamed functions and variables to show the functionality. The functions are not in exact order, instead, they are presented as below for easy understanding.
In previous versions, we identified the use of simplistic RunPE for injection and hollowing of the NanoCore. However, in the current version, the shellcode was adjusted to implement known methods of bypass and evading hooks by remapping the relevant executables from the knownDlls section.
This research further exposes the tendency of adversaries to abuse memory for the execution of known RAT families that are otherwise easily detected when downloaded to disk. We also see a drastic increase in sophistication over the last year through moving more and more of the attack stages into the memory while using a legitimate Windows process to bypass whitelisting.
A new version of the infamous NanoCore RAT (Remote Access Trojan) has resurfaced on the dark web and is being for offered for free. The news has given nightmares to cybersecurity experts across the world. Even though the first version surfaced way back in 2013, it is still considered highly potent and can be deployed for the extraction of financial information from unsuspecting users, or even launch a phishing attack.
NanoCore RAT has been in the news for a while now. In 2017, the author of the trojan, Taylor Huddleston, was sentenced to serve a 33-month term in jail for aiding and abetting computer intrusions by developing, marketing and distributing the trojan on the dark web.
In 2015, a paid version of NanoCore was made available on the open Internet. However, free, cracked versions were quickly leaked, which most likely led to its widespread use and popularity among underground criminals.
NanoCore is a modular RAT which means that the threat actor can expand its functionality by installing additional modules based on his or her own needs. This is what makes NanoCore so desirable to criminals.
If you suspect that you are infected with a RAT, consider confirming this first. This can be done by monitoring network connections and looking for any unexpected connections on an open port. Netstat is a great utility which allows you to view all active and listening TCP and UDP ports on a local machine.
Most malware sent via emails is packaged in archives such as ZIP, RAR, and 7z (7-Zip). Occasionally, we encounter some clever and creative ways these malicious archives are crafted. Here we will examine an example of an oddly formatted ZIP archive hiding the NanoCore malware.
We spotted a courier themed spam campaign on our Secure Email Gateway (SEG) cloud recently. The message claimed to be from an Export Operation Specialist of USCO Logistics and that it was sent as per their customer request. Aside from this, there were several other suspicious items we noted:
The attachment SHIPPING_MX00034900_PL_INV_pdf.zip makes this message stand out. The ZIP file had a file size significantly greater than that of its uncompressed content. Typically, the size of the ZIP file should be less than the uncompressed content or, in some cases, ZIP files will grow larger than the original files by a reasonable number of bytes.
The second ZIP structure contains SHIPPING_MX00034900_PL_INV_pdf.exe, which is a NanoCore RAT. This remote access trojan has the capability that allows an attacker to completely take control of the compromised machine. It connects to its command and control server at 194.5.98.85 on port 11903. This NanoCore RAT is version 1.2.2.0 which has been found to be offered for free on the Dark Web just a few months ago.
7fc3f7cf58