Malware also takes its share from the rapid progress of technology. Malware generation and distribution is now offered as a service. The tools that allow you to do harmful operations are sold ready-made on the internet, and all malicious people have to do is to buy them and make them ready by pressing 1-2 keys. Nanocore was one of them, and it was on sale for $20. In the images below you will see [1,2] Nanocore’s website and the thoughts of the person who wrote the pest.
This analysis is intended to explain what the Nanocore malware, which has been active in recent years, has been doing. In the article you will find the Nanocore builder, how Nanocore spreads and what it does on the system. The purpose of the malware is to provide remote access (RAT) and do whatever the attacker wants on the victim system. Below is a summary and images of the ATT&CK techniques used.
As I mentioned at the beginning of the article, Nanocore is sold as a simple program as a service. Now I want to talk about the builder of this program, Nanocore. When we open the program, the news section welcomes us. Builder offers options such as:
- Clients: The section where the affected systems appear.
- Network: The section where network settings are made.
- System: The section where server settings are made.
- Builder: Builds the executable file of the Nanocore malware.
- Plugins: The section with plugins.
- MultiCore: A section for password recovery, stress testing and remote code execution.
- NanoStress: The section showing the active nodes.
The part that caught my attention here was the “Builder” menu. The settings here will tell us about the general features of Nanocore. When you enter the menu, there are simple, advanced, DNS, assembly, notification and surveillance features.
In simple features, we see the IP number and port features. Apart from that, we should also see the UAC bypass feature, which I think is very important. When we hover over the feature, we see that the victim must take an action with admin privileges at least once.
When we come to the advanced settings, the “Set ProcessBreakOnTerminaton Flag” feature draws my attention. This feature prevents Nanocore running on the victim system from being stopped in any way by the user or by a 3rd party application. But for this, as in UAC bypass, the user must have operated with admin privileges before.
Although the following settings are not as interesting as the first ones, I would like to explain some of them. Under “DNS Server Settings”, it asks which DNS server the malware will use, a feature I haven’t seen before. Here we can use a special DNS server with certain service providers or the settings that the system uses. Other than these, the settings are related to the notification and keylogging feature
Let’s start to examine our pest, which is spread by phishing mails. Mail is a classic phishing email. Although there is no personal information, it seems that there is an e-mail about the contract. You can see the screenshot of the mail in the image below.
He gave us the deobfuscated file. Now let’s take this file to dnspy and examine it. As you can see now, class, function and variable names are much more understandable.
When we look at the code, some functions catch our eye. One of them is the smethod_1 function written for HTTP traffic. Receive HTTP requests. Below is the screenshot of this function.
We see that a function is written for file operations. These are smethod_1 and smethod_2 functions under Class2. While smethod_1 is doing file reading operations, smethod_0 is doing file writing operations.
Now let’s run the file and see what it does. For this, Process Hacker, Process Explorer For this, we can use applications such as . I will take the images from Any.run [ 5 ] , an online analysis platform that I think is much easier to follow visually . As you can see, the application is copying once via CMD. Then it runs the file it copied over CMD again. The run file calls itself and starts doing harmful operations.
To see these CMD commands on the debugger, we throw the malware into the debugger. The function used to open the CMD application is the “CreateProcessW” function. When we put a breakpoint in this function and run it, we get the same command as we see in the image above.
Command used here: “C:\Windows\System32\cmd.exe” /c copy “C:\Users\admin\Desktop\New Proposal_2019.exe” “C:\Users\admin\AppData\Roaming\Microsoft\Windows\ Start Menu\Programs\Startup\app.exe” . This command copies the malware we are running to the Startup folder and provides the malware with persistence.
When we run it through the debugger and come to the breakpoint again, we see that the CMD is called again.
In the next step , we see that the malware adds itself to the “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” registry with the “boot” parameter. The purpose of the pest here is to provide permanence.
The last time the malware calls itself as “app.exe”, we can reach the real Nanocore client. Although there are certain methods for unpacking, we will extract the real client with the pe-sieve [ 6 ] application, which does a really good job in this regard. We run pe-sieve as follows.
“ pe-sieve <application_pid>”
The point to be noted here is: As seen in the process tree above, there are 2 app.exes. The pid number of the second app.exe must be entered.
This resulting file may have been obfuscated like the first one. However, we deobfuscate the malware using 4dot and throw it into dnspy. The functions here match with the functions in the Builder section. The function below is the part that copies the resource (where the payload is located) of the malware.