Register to stream ATT&CKcon 2.0 October 29-30

NanoCore

NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.[1][2][3][4]

ID: S0336
Type: MALWARE
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture NanoCore can capture audio feeds from the system. [1] [3]
Enterprise T1059 Command-Line Interface NanoCore can open a remote command-line interface and execute commands. [3]
Enterprise T1089 Disabling Security Tools NanoCore can modify the victim's firewall and anti-virus. [1] [3]
Enterprise T1056 Input Capture NanoCore can perform keylogging on the victim’s machine. [3]
Enterprise T1112 Modify Registry NanoCore has the capability to edit the Registry. [1] [3]
Enterprise T1027 Obfuscated Files or Information NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3. [3]
Enterprise T1060 Registry Run Keys / Startup Folder NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine. [2]
Enterprise T1105 Remote File Copy NanoCore has the capability to download and activate additional modules for execution. [1] [3]
Enterprise T1064 Scripting NanoCore uses VBS and JavaScript files. [2]
Enterprise T1032 Standard Cryptographic Protocol NanoCore uses DES to encrypt the C2 traffic. [3]
Enterprise T1016 System Network Configuration Discovery NanoCore gathers the IP address from the victim’s machine. [1]
Enterprise T1065 Uncommonly Used Port NanoCore communicates to its C2 over ports 6666 and 4782. [4] [3]
Enterprise T1125 Video Capture NanoCore can access the victim's webcam and capture data. [1] [3]

Groups That Use This Software

ID Name References
G0083 SilverTerrier [5]
G0078 Gorgon Group [4]
G0064 APT33 [6]
G0043 Group5 [7]

References