NanoCore

NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.[1][2][3][4]

ID: S0336
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1123Audio CaptureNanoCore can capture audio feeds from the system.[1][3]
EnterpriseT1059Command-Line InterfaceNanoCore can open a remote command-line interface and execute commands.[3]
EnterpriseT1089Disabling Security ToolsNanoCore can modify the victim's firewall and anti-virus.[1][3]
EnterpriseT1056Input CaptureNanoCore can perform keylogging on the victim’s machine.[3]
EnterpriseT1112Modify RegistryNanoCore has the capability to edit the Registry.[1][3]
EnterpriseT1027Obfuscated Files or InformationNanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.[3]
EnterpriseT1060Registry Run Keys / Startup FolderNanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.[2]
EnterpriseT1105Remote File CopyNanoCore has the capability to download and activate additional modules for execution.[1][3]
EnterpriseT1064ScriptingNanoCore uses VBS and JavaScript files.[2]
EnterpriseT1032Standard Cryptographic ProtocolNanoCore uses DES to encrypt the C2 traffic.[3]
EnterpriseT1016System Network Configuration DiscoveryNanoCore gathers the IP address from the victim’s machine.[1]
EnterpriseT1065Uncommonly Used PortNanoCore communicates to its C2 over ports 6666 and 4782.[4][3]
EnterpriseT1125Video CaptureNanoCore can access the victim's webcam and capture data.[1][3]

Groups

Groups that use this software:

APT33
Gorgon Group
SilverTerrier

References