1. Home
  2. Software
  3. NanoCore

NanoCore

NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.[1][2][3][4]

ID: S0336
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 January 2019
Last Modified: 25 September 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 修改注册表

NanoCore has the capability to edit the Registry.[1][3]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

NanoCore uses DES to encrypt the C2 traffic.[3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.[2]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

NanoCore can open a remote command-line interface and execute commands.[3] NanoCore uses JavaScript files.[2]
.005 命令与脚本解释器: Visual Basic

NanoCore uses VBS files.[2]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

NanoCore can modify the victim's anti-virus.[1][3]
.004 妨碍防御: Disable or Modify System Firewall

NanoCore can modify the victim's firewall.[1][3]
Enterprise T1027 混淆文件或信息

NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[3]
Enterprise T1016 系统网络配置发现

NanoCore gathers the IP address from the victim’s machine.[1]
Enterprise T1125 视频捕获

NanoCore can access the victim's webcam and capture data.[1][3]
Enterprise T1105 输入工具传输

NanoCore has the capability to download and activate additional modules for execution.[1][3]
Enterprise T1056 .001 输入捕获: Keylogging

NanoCore can perform keylogging on the victim’s machine.[3]
Enterprise T1123 音频捕获

NanoCore can capture audio feeds from the system.[1][3]

Groups That Use This Software

ID Name References
G0064 APT33

[5]
G0083 SilverTerrier

[6]
G0078 Gorgon Group

[4]
G0043 Group5

[7]

References

  1. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  2. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024.
  3. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  4. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  1. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
  2. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  3. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.