|Enterprise||T1123||Audio Capture||NanoCore can capture audio feeds from the system.  |
|Enterprise||T1059||Command-Line Interface||NanoCore can open a remote command-line interface and execute commands. |
|Enterprise||T1089||Disabling Security Tools||NanoCore can modify the victim's firewall and anti-virus.  |
|Enterprise||T1056||Input Capture||NanoCore can perform keylogging on the victim’s machine. |
|Enterprise||T1112||Modify Registry||NanoCore has the capability to edit the Registry.  |
|Enterprise||T1027||Obfuscated Files or Information||NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3. |
|Enterprise||T1060||Registry Run Keys / Startup Folder||NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine. |
|Enterprise||T1105||Remote File Copy||NanoCore has the capability to download and activate additional modules for execution.  |
|Enterprise||T1032||Standard Cryptographic Protocol||NanoCore uses DES to encrypt the C2 traffic. |
|Enterprise||T1016||System Network Configuration Discovery||NanoCore gathers the IP address from the victim’s machine. |
|Enterprise||T1065||Uncommonly Used Port||NanoCore communicates to its C2 over ports 6666 and 4782.  |
|Enterprise||T1125||Video Capture||NanoCore can access the victim's webcam and capture data.  |
Groups That Use This Software
- The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
- Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.
- Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.