{"id":2555,"date":"2024-09-25T18:55:10","date_gmt":"2024-09-25T18:55:10","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2555"},"modified":"2025-07-29T03:53:51","modified_gmt":"2025-07-29T03:53:51","slug":"you-get-a-rat-you-get-a-rat-and-you-get-a-rat-nanocore-rat-offered-for-free-on-dark-web","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/you-get-a-rat-you-get-a-rat-and-you-get-a-rat-nanocore-rat-offered-for-free-on-dark-web\/","title":{"rendered":"You get a RAT, you get a RAT, and you get a RAT! NanoCore RAT offered for free on Dark Web"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Despite the creator of NanoCore RAT being sentenced to 33 months jail last year, his creation lives on. LMNTRIX Cyber Defense Centre analysts recently discovered the malware was being offered for free on the Dark Web. The below thread, posted on April 8 this year and written in German, lists a number of RATs available for free download. As well as NanoCore, the author provides links to several other malware variants including Babylon RAT and Echo RAT:  <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1: Deep Web Forum containing download links to RATs<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2: Downloading Nanocore RAT<\/em><\/p>\n\n\n\n

Taylor Huddleston was the first malware author to be prosecuted for their creation \u2013 a creation which has taken on a life of its own, spawning newer variants such as LuminosityLink RAT and Surprise Ransomware. The current version of NanoCore being offered for free online is v1.2.2, it is written in C# dot.net and has the following features:<\/p>\n\n\n\n

    \n
  1. Remote client shutdown \/ restart<\/li>\n\n\n\n
  2. Remote File Browser, Task Manager, Registry Editor, Remote Console<\/li>\n\n\n\n
  3. Remote Mouse control<\/li>\n\n\n\n
  4. Open webpages<\/li>\n\n\n\n
  5. Open CD Tray<\/li>\n\n\n\n
  6. Disable Webcam Lights<\/li>\n\n\n\n
  7. Remote Execute<\/li>\n\n\n\n
  8. Remote Computer Locker with custom encryption (like ransomware)<\/li>\n\n\n\n
  9. Remote Reverse Proxy<\/li>\n\n\n\n
  10. Remotely recover passwords<\/li>\n\n\n\n
  11. Remote Keylogging<\/li>\n\n\n\n
  12. Remote Video \/ Audio capture<\/li>\n<\/ol>\n\n\n\n

    Once downloaded from the Dark Web, the NanoCore RAT is controlled through a user-friendly interface. This lowers the barrier for entry and enables even the most amateur hackers to weaponise emails and kick off their own campaigns:<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Figure 3: Nanocore RAT loading screen<\/em>


    <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n


    Figure 4: Nanocore client connection<\/em>


    <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n


    Figure 5: Nanocore Management<\/em>

    <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n



    Figure 6: Nanocore Remote File Browser<\/em>

    <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n



    Figure 7: Nanocore Management – Turn off webcam lights<\/em>

    <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n



    Figure 8: Nanocore Management – Ransomware Module<\/em>

    <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n



    Figure 9: Nanocore Management – Keylogging Module<\/em>

    Anytime an exploit kit or RAT kit is made available for free, it leads to an explosion of campaigns using the malware \u2013 something we have observed since this Dark Web posting in April.<\/p>\n\n\n\n

    Current Campaign and TTP<\/h2>\n\n\n\n

    One of these current campaigns uses a very common TTP as it employs infection via phishing mail and macro-enabled word document. The phishing emails are targeted to the administrative mail address of an organisation and are spoofed to resemble invoices or purchase orders. The attachment names are usually \u201cURGENT.doc\u201d or \u201cPO URGENT.doc\u201d:

    <\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n



    Figure 10: Malicious Word Attachment<\/em>

    The attachment contains a macro code, which is executed automatically when the word document is opened. The following is the behaviour of the macro code.<\/p>\n\n\n\n

      \n
    1. A javascript file is written in the %APPDATA%\\Local\\Temp folder, “C:\\Users\\admin\\AppData\\Local\\Temp\\mczekg5e.js”, which is then executed by \u201cwscript.exe\u201d.
      \n
        \n
      1. \u201cmczekg5e.js\u201d writes the file “C:\\Users\\admin\\AppData\\Roaming\\KQWPXSGZoR.js” and sets a custom AutoRun registry key under current user \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u201d with key name \u201cKQWPXSGZoR\u201d. The value of the key is to execute “C:\\Users\\admin\\AppData\\Roaming\\KQWPXSGZoR.js” with \u201cwscript.exe\u201d.<\/li>\n\n\n\n
      2. The file “C:\\Users\\admin\\AppData\\Roaming\\KQWPXSGZoR.js” is also written to Startup folder path \u201cC:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\KQWPXSGZoR.js\u201d.<\/li>\n\n\n\n
      3. Starts cmd.exe in %temp% folder and writes a .vbs file “C:\\Users\\admin\\AppData\\Local\\Temp\\B3g.vbs”. Then executes the file with \u201cwscript.exe\u201d. Behaviour of \u201cB3g.vbs\u201d is as follows \u2013
        \n
          \n
        1. Writes the following files
          \n
            \n
          1. C:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\PN6YT226\\hercilio[1].exe<\/li>\n\n\n\n
          2. C:\\Users\\admin\\AppData\\Local\\Temp\\EJV.EXE<\/li>\n<\/ol>\n<\/li>\n\n\n\n
          3. Waits for 13 seconds with timeout.exe command.<\/li>\n\n\n\n
          4. Executes EJV.EXE, which writes the following files \u2013
            \n
              \n
            1. C:\\Users\\admin\\AppData\\Roaming\\C5548495-682B-436B-B722-92C4F9C95AE9\\run.dat<\/li>\n\n\n\n
            2. C:\\Users\\admin\\AppData\\Roaming\\C5548495-682B-436B-B722-92C4F9C95AE9\\catalog.dat<\/li>\n\n\n\n
            3. C:\\Users\\admin\\AppData\\Roaming\\C5548495-682B-436B-B722-92C4F9C95AE9\\storage.dat<\/li>\n\n\n\n
            4. C:\\Users\\admin\\AppData\\Roaming\\C5548495-682B-436B-B722-92C4F9C95AE9\\settings.bin<\/li>\n<\/ol>\n<\/li>\n\n\n\n
            5. \u201cC:\\Users\\admin\\AppData\\Local\\Temp\\EJV.EXE\u201d copies itself into the path \u201cC:\\Users\\admin\\AppData\\Roaming\\C5548495-682B-436B-B722-92C4F9C95AE9\\DPI Host\\dpihost.exe\u201d<\/li>\n\n\n\n
            6. \u201cEJV.EXE\u201d sets an AutoRun registry key under current user \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u201d with key name \u201cDPI Host\u201d. The value of the key is to execute \u201cC:\\Users\\admin\\AppData\\Roaming\\C5548495-682B-436B-B722-92C4F9C95AE9\\DPI Host\\dpihost.exe\u201d.

              <\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n

              Persistence Techniques<\/h2>\n\n\n\n

              The macro code drops a Stage One payload, which is a javascript file \u201cC:\\Users\\admin\\AppData\\Roaming\\KQWPXSGZoR.js\u201d. Persistence during this stage is achieved by the following two methods:

              Setting an AutoRun registry key \u201cKQWPXSGZoR\u201d under \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u201d to execute \u201cC:\\Users\\admin\\AppData\\Roaming\\KQWPXSGZoR.js\u201d.<\/p>\n\n\n\n

                \n
              1. Writing the stage 1 payload into startup folder path \u201cC:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\KQWPXSGZoR.js\u201d.The Stage Two payload is dropped by execution of \u201cB3g.vbs\u201d into \u201cC:\\Users\\admin\\AppData\\Local\\Temp\\EJV.EXE\u201d. It is also observed in the INetCache path \u201cC:\\Users\\admin\\AppData\\Local\\Microsoft\\Windows\\INetCache\\IE\\PN6YT226\\hercilio[1].exe\u201d. This is the NanoCore RAT client. Persistence on Stage 2 is achieved by the following method:<\/li>\n\n\n\n
              2. Setting an AutoRun registry key \u201cDPI Host\u201d under \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\u201d to execute \u201cC:\\Users\\admin\\AppData\\Roaming\\C5548495-682B-436B-B722-92C4F9C95AE9\\DPI Host\\dpihost.exe\u201d.<\/li>\n<\/ol>\n\n\n\n

                Detection<\/h2>\n\n\n\n

                The attack cycle outlined above can be detected based on the techniques attackers employ. Using MITRE\u2019s ATT&CK Framework, we can break down the attacker techniques as follows.<\/p>\n\n\n\n

                  \n
                1. T1064 \u2013 Scripting:<\/strong> As scripting is commonly used by system administrators to perform routine tasks, any anomalous execution of legitimate scripting programs, such as PowerShell or Wscript, can signal suspicious behaviour. Checking office files for macro code can also help identify scripting used by attackers. Office processes, such as winword.exe spawning instances of cmd.exe, or script applications like wscript.exe and powershell.exe, may indicate malicious activity.<\/li>\n\n\n\n
                2. T1060 – Registry Run Keys \/ Startup Folder:<\/strong> Monitoring Registry for changes to run keys that do not correlate with known software or patch cycles, and monitoring the start folder for additions or changes, can help detect malware. Suspicious programs executing at start-up may show up as outlier processes that have not been seen before when compared against historical data. Solutions like LMNTRIX Respond, which monitors these important locations and raises alerts for any suspicious change or addition, can help detect these behaviours.<\/li>\n\n\n\n
                3. T1193 \u2013 Spearphishing Attachment:<\/strong> Network Intrusion Detection systems, such as LMNTRIX Detect, can be used to detect spearphishing with malicious attachments in transit. In LMNTRIX Detect\u2019s case, in-built detonation chambers can detect malicious attachments based on behaviour, rather than signatures. This is critical as signature-based detection often fails to protect against attackers that frequently change and update their payloads.<\/li>\n<\/ol>\n\n\n\n

                  Indicator of Compromise<\/h2>\n\n\n\n

                  The table below lists the Indicators of Compromise which can further help security professionals identify NanoCore activity.<\/p>\n\n\n\n

                  INFO<\/th>VALUE<\/strong><\/th>TYPE<\/strong><\/th><\/tr><\/thead>
                  Malicious Attachment<\/td>P.O. URGENT.doc<\/td>Word Document Name<\/td><\/tr>
                  Malicious Attachment<\/td>70f3125dcf765f405abea4ae1126e98b<\/td>MD5<\/td><\/tr>
                  Stage 1 payload<\/td>f10b1fb2fc5f69ccc148053f930d4c66<\/td>MD5<\/td><\/tr>
                  Stage 2 payload<\/td>e2b951058ababdb4cb738342b67d0c83<\/td>MD5<\/td><\/tr>
                  Attacker Domain<\/td>kcexports.me<\/td>Domain<\/td><\/tr>
                  RAT Sinkhole<\/td>clinton2.duckdns.org<\/td>Domain<\/td><\/tr>
                  RAT Domain<\/td>pluginsrv.duckdns.org<\/td>Domain<\/td><\/tr>
                  RAT Domain<\/td>clintonlog.hopto.org<\/td>Domain<\/td><\/tr>
                  RAT Domain<\/td>prod-tp.sumo.mozit.cloud<\/td>Domain<\/td><\/tr>
                  RAT IP<\/td>67.207.93.17<\/td>IP Address<\/td><\/tr>
                  RAT IP<\/td>192.169.69.25<\/td>IP Address<\/td><\/tr>
                  RAT IP<\/td>185.244.31.111<\/td>IP Address<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

                  Recommendations<\/h2>\n\n\n\n

                  The strategies outlined in the \u2018Detection\u2019 section above, coupled with the list of IoCs, can help security personnel identify the presence of NanoCore RAT in their networks.<\/p>\n\n\n\n

                  LMNTRIX\u2019s Adaptative Threat Response solution also provides complete endpoint security with detection techniques mapped to the \u201cMITRE ATT&CK\u201d framework. With advanced analytics, LMNTRIX XDR brings light to threats that otherwise go undetected, along with detailed analysis to provide attack attribution and mitigation. The LMNTRIX solution includes an inbuilt offline capability which uses machine learning models to classify malicious files and quickly isolates the location and determines the extent of the executable.<\/p>\n\n\n\n

                  LMNTRIX Detect is a part of the Active Defense solution and focuses on Network Intrusion Detection. It receives numerous proprietary and open source feeds for classification of IP and domain names, and contains a detonation chamber\/sandbox environment that allows for quick assessment of suspicious files entering the perimeter via network.<\/p>\n\n\n\n

                  On 2019-08-22<\/p>\n\n\n\n

                  <\/p>\n","protected":false},"excerpt":{"rendered":"

                  Despite the creator of NanoCore RAT being sentenced to 33 months jail last year, his creation lives on. LMNTRIX Cyber Defense Centre analysts recently discovered the malware was being offered for free on the Dark Web. The below thread, posted on April 8 this year and written in German, lists a number of RATs available […]<\/p>\n","protected":false},"author":1,"featured_media":2580,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2555","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2555","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2555"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2555\/revisions"}],"predecessor-version":[{"id":4266,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2555\/revisions\/4266"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2580"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2555"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2555"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2555"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}