S0336 NanoCore
NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.1234
| Item | Value |
|---|---|
| ID | S0336 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 29 January 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1123 | Audio Capture | NanoCore can capture audio feeds from the system.13 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | NanoCore can open a remote command-line interface and execute commands.3 NanoCore uses JavaScript files.2 |
| enterprise | T1059.005 | Visual Basic | NanoCore uses VBS files.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | NanoCore uses DES to encrypt the C2 traffic.3 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | NanoCore can modify the victim’s anti-virus.13 |
| enterprise | T1562.004 | Disable or Modify System Firewall | NanoCore can modify the victim’s firewall.13 |
| enterprise | T1105 | Ingress Tool Transfer | NanoCore has the capability to download and activate additional modules for execution.13 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | NanoCore can perform keylogging on the victim’s machine.3 |
| enterprise | T1112 | Modify Registry | NanoCore has the capability to edit the Registry.13 |
| enterprise | T1027 | Obfuscated Files or Information | NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.3 |
| enterprise | T1016 | System Network Configuration Discovery | NanoCore gathers the IP address from the victim’s machine.1 |
| enterprise | T1125 | Video Capture | NanoCore can access the victim’s webcam and capture data.13 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0043 | Group5 | 5 |
| G0064 | APT33 | 6 |
| G0083 | SilverTerrier | 7 |
| G0078 | Gorgon Group | 4 |
References
-
The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018. ↩↩↩↩↩↩↩↩
-
Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018. ↩↩↩↩
-
Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. ↩↩↩↩↩↩↩↩↩↩↩
-
Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. ↩↩
-
Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. ↩
-
Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. ↩
-
Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018. ↩