Behavior

Tactic

Technique

Arrives as bank payment receipt attachment spam mails

Initial Access

T1193: Spear Phishing Attachment

User is bait to click archive attachment and malicious file is run

Execution

T1204: User Execution

Steals personal and financial information by using keylogger techniques

Collection

T1056: Input Capture

Sends gathered information to C&C server of attacker

Exfiltration

T1041: Exfiltration Over Command and Control Channel

Detection/Policy/Rules

Pattern Branch/Version

Release Date

Trojan.W97M.NANOCORE.AA
Trojan.W97M.NANOCORE.AMO
Backdoor.Win32.NANOCORE.CDC
Backdoor.Win32.NANOCORE.CDB
Backdoor.Win32.NANOCORE.CCX
Backdoor.MSIL.NANOCORE.AYL
Trojan.Win32.NANOCORE.YANV
Backdoor.Win32.NANOCORE.CCV
Trojan.Win32.NANOCORE.YANT
Trojan.Win32.NANOCORE.YANU
Trojan.Win32.NANOCORE.YANS
Backdoor.Win32.NANOCORE.CCT
Backdoor.AutoIt.NANOCORE.CCF

Ent OPR 14.971.04

April 30, 2019

Backdoor.Autoit.NANOCORE.SMAT.hp
Backdoor.MSIL.NANOCORE.SMIL
Backdoor.Win32.NANOCORE.SMC
Backdoor.AutoIt.NANOCORE.CEK
Backdoor.MSIL.NANOCORE.TIAOODDZ
Backdoor.Win32.NANOCORE.TIAOODFA
Trojan.P97M.NANOCORE.A
Trojan.Win32.NANOCORE.IMGYAPA
TrojanSpy.Win32.NANOCORE.AG

ENT OPR 15.632.00

January 20, 2020

Detection/Policy/Rules

Pattern Branch/Version

TROJ.Win32.TRX.XXPE50FFF029
Troj.Win32.TRX.XXPE50FFF030
Troj.Win32.TRX.XXPE50FFF033
Troj.Win32.TRX.XXPE50FFF034

In-the-cloud

Pattern Branch/Version

Release Date

TMTD OPR 1715

October 24, 2017

TMTD OPR 1723

November 15, 2017

Detection/Policy/Rules

Pattern Branch

URL Protection

In-the-cloud

hxxp://{BLOCKED}sa.5gbfree.com/grom/faze.exe

Malware Accomplice, Disease Vector

Patter Branch/Version

Release Date

15.631.00

January 19, 2020

Patter Branch/Version

Release Date

AS 4582.006

April 30, 2019

AS Pattern 5182

January 22, 2020

Detection/Policy/Rules

Pattern Branch/Version

Release Date

NANOCORE - TCP (Request)

NCIP 1.13973.00

November 28, 2019

Trend Micro Solution

Major Product

Latest Version

Virus Pattern

Anti-Spam Pattern

Network Pattern

Behavior Monitoring

Predictive Machine Learning

Web Reputation

Endpoint Security

ApexOne

2019

Update pattern via web console

Not Applicable

Update pattern via web console

Enable Behavior Monitoring and update pattern via web console

Enable Predictive Machine Learning

Enable Web Reputation Service and update pattern via web console

OfficeScan

XG (12.0)

Not Applicable

Worry-Free Business Security

Standard (10.0)

Advanced (10.0)

Update pattern via web console

Hybrid Cloud Security

Deep Security

12.0

Update pattern via web console

Not Applicable

Update pattern via web console

Enable Behavior Monitoring and update pattern via web console

Enable Predictive Machine Learning

Enable Web Reputation Service and update pattern via web console

Email and Gateway Security

Deep Discovery Email Inspector

3.5

Update pattern via web console

Not Applicable

Enable Web Reputation Service and update pattern via web console

InterScan Messaging Security

9.1

Not Applicable

InterScan Web Security

6.5

ScanMail for Microsoft Exchange

14.0

Network Security

Deep Discovery Inspector

5.5

Update pattern via web console

Not Applicable

Update pattern via web console

Not Applicable

Enable Web Reputation Service and update pattern via web console

NanoCore Malware Information

Product / Version includes:

OfficeScan XG , Apex One 2019 , Deep Security All , Worry-Free Business Security Advanced All

Last updated: 2025/08/08

Solution ID: KA-0009376

Category: Remove a Malware / Virus

Summary

The NanoCore remote access Trojan (RAT) was first discovered in 2013 when it was being sold in underground forums. The malware has a variety of functions such as keylogger, a password stealer which can remotely pass along data to the malware operator. It also has the ability to tamper and view footage from webcams, screen locking, downloading and theft of files, and more.

The current NanoCore RAT is now being spread through malspam campaign which utilizes social engineering in which the email contains fake bank payment receipt and request for quotation. The emails also contain malicious attachments with .img or .iso extension. The .img and .iso files are used by disk image files to store raw dumps of either magnetic disk or optical disc. Another version of NanoCore is also distributed in phishing campaigns leveraging specially-crafted ZIP file which is designed to bypass secure email gateways. The malicious ZIP file can be extracted by certain versions of PowerArchiver, WinRar, and older 7-Zip. The stolen information is sent to the command and control (C&C) servers of the malware attacker.

This RAT gathers the following data and sends it to its servers:

Browser's user names and passwords
File Transfer Protocol (FTP) clients or file manager software stored account information
Email credentials of popular mail clients

MITRE ATT&CK MATRIX

Behavior	Tactic	Technique
Arrives as bank payment receipt attachment spam mails	Initial Access	T1193: Spear Phishing Attachment
User is bait to click archive attachment and malicious file is run	Execution	T1204: User Execution
Steals personal and financial information by using keylogger techniques	Collection	T1056: Input Capture
Sends gathered information to C&C server of attacker	Exfiltration	T1041: Exfiltration Over Command and Control Channel

File Reputation

Detection/Policy/Rules	Pattern Branch/Version	Release Date
Trojan.W97M.NANOCORE.AA Trojan.W97M.NANOCORE.AMO Backdoor.Win32.NANOCORE.CDC Backdoor.Win32.NANOCORE.CDB Backdoor.Win32.NANOCORE.CCX Backdoor.MSIL.NANOCORE.AYL Trojan.Win32.NANOCORE.YANV Backdoor.Win32.NANOCORE.CCV Trojan.Win32.NANOCORE.YANT Trojan.Win32.NANOCORE.YANU Trojan.Win32.NANOCORE.YANS Backdoor.Win32.NANOCORE.CCT Backdoor.AutoIt.NANOCORE.CCF	Ent OPR 14.971.04	April 30, 2019
Backdoor.Autoit.NANOCORE.SMAT.hp Backdoor.MSIL.NANOCORE.SMIL Backdoor.Win32.NANOCORE.SMC Backdoor.AutoIt.NANOCORE.CEK Backdoor.MSIL.NANOCORE.TIAOODDZ Backdoor.Win32.NANOCORE.TIAOODFA Trojan.P97M.NANOCORE.A Trojan.Win32.NANOCORE.IMGYAPA TrojanSpy.Win32.NANOCORE.AG	ENT OPR 15.632.00	January 20, 2020

Predictive Machine Learning

Detection/Policy/Rules	Pattern Branch/Version
TROJ.Win32.TRX.XXPE50FFF029 Troj.Win32.TRX.XXPE50FFF030 Troj.Win32.TRX.XXPE50FFF033 Troj.Win32.TRX.XXPE50FFF034	In-the-cloud

Behavior Monitoring

Pattern Branch/Version	Release Date
TMTD OPR 1715	October 24, 2017
TMTD OPR 1723	November 15, 2017

Web Reputation

Detection/Policy/Rules	Pattern Branch
URL Protection	In-the-cloud
hxxp://{BLOCKED}sa.5gbfree.com/grom/faze.exe	Malware Accomplice, Disease Vector

Advanced Threat Scan Engine

Patter Branch/Version	Release Date
15.631.00	January 19, 2020

Anti-Spam

Patter Branch/Version	Release Date
AS 4582.006	April 30, 2019
AS Pattern 5182	January 22, 2020

Network Pattern

Detection/Policy/Rules	Pattern Branch/Version	Release Date
NANOCORE - TCP (Request)	NCIP 1.13973.00	November 28, 2019

Solution Map - What should customers do?

Trend Micro Solution	Major Product	Latest Version	Virus Pattern	Anti-Spam Pattern	Network Pattern	Behavior Monitoring	Predictive Machine Learning	Web Reputation
Endpoint Security	ApexOne	2019	Update pattern via web console	Not Applicable	Update pattern via web console	Enable Behavior Monitoring and update pattern via web console	Enable Predictive Machine Learning	Enable Web Reputation Service and update pattern via web console
	OfficeScan	XG (12.0)			Not Applicable
	Worry-Free Business Security	Standard (10.0)
	Worry-Free Business Security	Advanced (10.0)		Update pattern via web console
Hybrid Cloud Security	Deep Security	12.0	Update pattern via web console	Not Applicable	Update pattern via web console	Enable Behavior Monitoring and update pattern via web console	Enable Predictive Machine Learning	Enable Web Reputation Service and update pattern via web console
Email and Gateway Security	Deep Discovery Email Inspector	3.5	Update pattern via web console	Update pattern via web console	Update pattern via web console	Not Applicable	Not Applicable	Enable Web Reputation Service and update pattern via web console
	InterScan Messaging Security	9.1			Not Applicable
	InterScan Web Security	6.5
	ScanMail for Microsoft Exchange	14.0
Network Security	Deep Discovery Inspector	5.5	Update pattern via web console	Not Applicable	Update pattern via web console	Not Applicable	Not Applicable	Enable Web Reputation Service and update pattern via web console

Recommendation

Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.

Threat Report

Blogs

Malicious Spam Campaign Uses ISO Image Files to Deliver LokiBot and NanoCore

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

NanoCore Malware Information

MITRE ATT&CK MATRIX

File Reputation

Predictive Machine Learning

Behavior Monitoring

Web Reputation

Advanced Threat Scan Engine

Anti-Spam

Network Pattern

Solution Map - What should customers do?

Recommendation

Threat Report

Blogs

NanoCore Malware Information

Product / Version includes:

Summary

MITRE ATT&CK MATRIX

File Reputation

Predictive Machine Learning

Behavior Monitoring

Web Reputation

Advanced Threat Scan Engine

Anti-Spam

Network Pattern

Solution Map - What should customers do?

Recommendation

Threat Report

Blogs