JUST RELEASED: ATT&CK for Industrial Control Systems


NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.[1][2][3][4]

ID: S0336
Platforms: Windows
Version: 1.0
Created: 29 January 2019
Last Modified: 17 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture

NanoCore can capture audio feeds from the system.[1][3]

Enterprise T1059 Command-Line Interface

NanoCore can open a remote command-line interface and execute commands.[3]

Enterprise T1089 Disabling Security Tools

NanoCore can modify the victim's firewall and anti-virus.[1][3]

Enterprise T1056 Input Capture

NanoCore can perform keylogging on the victim’s machine.[3]

Enterprise T1112 Modify Registry

NanoCore has the capability to edit the Registry.[1][3]

Enterprise T1027 Obfuscated Files or Information

NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[3]

Enterprise T1060 Registry Run Keys / Startup Folder

NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.[2]

Enterprise T1105 Remote File Copy

NanoCore has the capability to download and activate additional modules for execution.[1][3]

Enterprise T1064 Scripting

NanoCore uses VBS and JavaScript files.[2]

Enterprise T1032 Standard Cryptographic Protocol

NanoCore uses DES to encrypt the C2 traffic.[3]

Enterprise T1016 System Network Configuration Discovery

NanoCore gathers the IP address from the victim’s machine.[1]

Enterprise T1065 Uncommonly Used Port

NanoCore communicates to its C2 over ports 6666 and 4782.[4][3]

Enterprise T1125 Video Capture

NanoCore can access the victim's webcam and capture data.[1][3]

Groups That Use This Software

ID Name References
G0083 SilverTerrier [5]
G0078 Gorgon Group [4]
G0064 APT33 [6]
G0043 Group5 [7]