Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

NanoCore Malware Information

    • Updated:
    • 28 Jan 2020
    • Product/Version:
    • Apex One 2019
    • Deep Security
    • OfficeScan XG
    • Worry-Free Business Security Advanced
    • Platform:
    • N/A N/A
Summary

The NanoCore remote access Trojan (RAT) was first discovered in 2013 when it was being sold in underground forums. The malware has a variety of functions such as keylogger, a password stealer which can remotely pass along data to the malware operator. It also has the ability to tamper and view footage from webcams, screen locking, downloading and theft of files, and more.

The current NanoCore RAT is now being spread through malspam campaign which utilizes social engineering in which the email contains fake bank payment receipt and request for quotation. The emails also contain malicious attachments with .img or .iso extension. The .img and .iso files are used by disk image files to store raw dumps of either magnetic disk or optical disc. Another version of NanoCore is also distributed in phishing campaigns leveraging specially-crafted ZIP file which is designed to bypass secure email gateways. The malicious ZIP file can be extracted by certain versions of PowerArchiver, WinRar, and older 7-Zip. The stolen information is sent to the command and control (C&C) servers of the malware attacker.

This RAT gathers the following data and sends it to its servers:

  • Browser's user names and passwords
  • File Transfer Protocol (FTP) clients or file manager software stored account information
  • Email credentials of popular mail clients

Capabilities:

  • Information Theft
  • Backdoor Commands
  • Exploits
  • Disabling usage capability

Impact:

  • Compromise system security - with backdoor capabilities that can execute malicious commands
  • Violation of user privacy - gathers user credentials, logs keystroke and steals user information

Infection Details:

Sample Spam - Bank Payment Receipt Attachment Spam

MITRE ATT&CK MATRIX

BehaviorTacticTechnique
Arrives as bank payment receipt attachment spam mailsInitial AccessT1193: Spear Phishing Attachment
User is bait to click archive attachment and malicious file is runExecutionT1204: User Execution
Steals personal and financial information by using keylogger techniquesCollectionT1056: Input Capture
Sends gathered information to C&C server of attackerExfiltrationT1041: Exfiltration Over Command and Control Channel

File Reputation

Detection/Policy/RulesPattern Branch/VersionRelease Date
Trojan.W97M.NANOCORE.AA
Trojan.W97M.NANOCORE.AMO
Backdoor.Win32.NANOCORE.CDC
Backdoor.Win32.NANOCORE.CDB
Backdoor.Win32.NANOCORE.CCX
Backdoor.MSIL.NANOCORE.AYL
Trojan.Win32.NANOCORE.YANV
Backdoor.Win32.NANOCORE.CCV
Trojan.Win32.NANOCORE.YANT
Trojan.Win32.NANOCORE.YANU
Trojan.Win32.NANOCORE.YANS
Backdoor.Win32.NANOCORE.CCT
Backdoor.AutoIt.NANOCORE.CCF
Ent OPR 14.971.04April 30, 2019
Backdoor.Autoit.NANOCORE.SMAT.hp
Backdoor.MSIL.NANOCORE.SMIL
Backdoor.Win32.NANOCORE.SMC
Backdoor.AutoIt.NANOCORE.CEK
Backdoor.MSIL.NANOCORE.TIAOODDZ
Backdoor.Win32.NANOCORE.TIAOODFA
Trojan.P97M.NANOCORE.A
Trojan.Win32.NANOCORE.IMGYAPA
TrojanSpy.Win32.NANOCORE.AG
ENT OPR 15.632.00January 20, 2020

Predictive Machine Learning

Detection/Policy/RulesPattern Branch/Version
TROJ.Win32.TRX.XXPE50FFF029
Troj.Win32.TRX.XXPE50FFF030
Troj.Win32.TRX.XXPE50FFF033
Troj.Win32.TRX.XXPE50FFF034
In-the-cloud

Behavior Monitoring

Pattern Branch/VersionRelease Date
TMTD OPR 1715October 24, 2017
TMTD OPR 1723November 15, 2017

Web Reputation

Detection/Policy/RulesPattern Branch
URL ProtectionIn-the-cloud
hxxp://{BLOCKED}sa.5gbfree.com/grom/faze.exeMalware Accomplice, Disease Vector

Advanced Threat Scan Engine

Patter Branch/VersionRelease Date
15.631.00January 19, 2020

Anti-Spam

Patter Branch/VersionRelease Date
AS 4582.006April 30, 2019
AS Pattern 5182January 22, 2020

Network Pattern

Detection/Policy/RulesPattern Branch/VersionRelease Date
NANOCORE - TCP (Request)NCIP 1.13973.00November 28, 2019
Details
Public

Solution Map - What should customers do?

Trend Micro SolutionMajor ProductLatest VersionVirus PatternAnti-Spam PatternNetwork PatternBehavior MonitoringPredictive Machine LearningWeb Reputation





Endpoint Security
ApexOne2019



Update pattern via web console



Not Applicable
Update pattern via web console



Enable Behavior Monitoring and update pattern via web console




Enable Predictive Machine Learning




Enable Web Reputation Service and update pattern via web console
OfficeScanXG (12.0)


Not Applicable

Worry-Free Business Security
Standard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security12.0Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console





Email and Gateway Security
Deep Discovery Email Inspector3.5




Update pattern via web console





Update pattern via web console
Update pattern via web console




Not Applicable





Not Applicable




Enable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1


Not Applicable
InterScan Web Security6.5
ScanMail for Microsoft Exchange14.0
Network SecurityDeep Discovery Inspector5.5Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console

Recommendation

Threat Report

Blogs

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1122912
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.