{"id":2738,"date":"2024-09-25T19:40:57","date_gmt":"2024-09-25T19:40:57","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2738"},"modified":"2025-07-29T06:36:27","modified_gmt":"2025-07-29T06:36:27","slug":"as-nanocores-creator-awaits-sentencing-lets-unpack-his-handiwork","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/as-nanocores-creator-awaits-sentencing-lets-unpack-his-handiwork\/","title":{"rendered":"As Nanocore\u2019s creator awaits sentencing, lets unpack his handiwork"},"content":{"rendered":"
\n
\"Prisoner\"<\/figure>\n<\/div>\n\n\n

Earlier this year, the creator of the Nanocore Remote Access Trojan (RAT), Taylor Huddleston, pled guilty<\/a> to aiding and abetting computer intrusions by selling his creation online for as little as $25. He\u2019s due for sentencing later this week and faces up 10 years in prison. 

As an interesting side note, before pleading guilty Huddleston\u2019s defence<\/a> argued that Nanocore was created as a legitimate program, designed to give users a simple way to control their computers remotely.

Despite being collared by authorities, his legacy lives on. Nanocore is still one of the most popular RATs, and is being used by hackers around the globe. 

Developed in dot NET, it is one of the most sophisticated RATs we\u2019ve seen. On top of the standard functionality you\u2019d expect to see (key-logging, and mic and webcam access), it also includes an external Distributed Denial of Service (DDoS) plugin which enables hackers to use victim machines as a proxy to bring down a third-party server, as well as a ransomware-like feature to lock people out of their PCs.

Overview <\/strong>

Once Nanocore compromises a system, it gives attackers almost complete control over the infected machine. In addition to the features mentioned above, it opens a back door on the computer, enabling an attacker to perform the following actions: 

\u2022    Transfer and execute files

\u2022    Enter and execute commands

\u2022    Edit the registry

\u2022    View the desktop

\u2022    Create instant message windows

\u2022    Update the Trojan

\u2022    Manage running processes

\u2022    Steal passwords stored in web browsers and email clients

Distribution <\/strong>

Nanocore is usually spread via spam emails with malicious attachments or an embedded JavaScript file (.js). 

In a campaign discovered by LMNTRIX researchers late last month, French users were targeted with a PDF file with embedded JavaScript. Once opened, a HTA (HTML Application) file payload was downloaded from Google Drive. This method  bypassed Adobe security warnings by taking advantage of Google\u2019s reputation.

The PDF displayed a fake notification stating the user\u2019s Flash Player was outdated, prompting the installation of an updated version.

The downloaded .HTA file contained VBScript which decoded the embedded binary payload, and downloaded it into the %TEMP% directory of the target machine before execution.

Persistence<\/strong>

Upon infection, the malware drops winlogon.exe in the Startup Folder so it executes on every reboot:

C:\\Users\\<user-name>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winlogon.exe.lnk

File Details<\/strong><\/p>\n\n\n\n

File Type <\/td>Portable Executable (PE) file<\/td><\/tr>
Md5 hash<\/td>25640ca48d3fbfd7e070b7685c053b51<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Static Analysis<\/strong>

The screenshot below shows the recent Nanocore sample is written in dot NET:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Static analysis immediately uncovered some suspicious strings which gave away the file\u2019s malicious nature:

\u2022    GetProcAddress (gets current process address)

\u2022    KillOnExit (checks for some parameters, exits all processes if parameters are true)

\u2022    HttpWebClientProtocol

\u2022    set_Proxy (to use victim’s machine as proxy)

\u2022    CreateDecryptor

\u2022    CreateEncryptor (to encrypt files)

\u2022    GetCurrentProcess (checks current process)

\u2022    GetProcessesByName (checks process name)

Dynamic Analysis<\/strong>

The following diagram represents the chain of activities which occurred during infection:

<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n



Once executed, the malware\u2019s behavior can be seen in the below screenshot:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

We witnessed the sample drop and execute “tmp.exe” and “svchost.exe”, and connect to the IP address “185.82.216.57” via port \u201c5254\u201d:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

This IP was contacted in regular intervals: <\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Once these steps were completed, \u201csvchost.exe\u201d started running as a background process:<\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

During the infection, the following files were dropped\u2026

\u2022    C:\\Users\\<user-name>\\AppData\\Roaming\\tmp.exe md5: df145cc72ceb0db5881ed33961e678b9

\u2022    C:\\Users\\<user-name>\\AppData\\Roaming\\winlogon\\winlogon.exe md5: 25640ca48d3fbfd7e070b7685c053b51

\u2022    C:\\Users\\test\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\winlogon.exe.lnk (to maintain persistence)

\u2026 and the following registry value was created:

HKU\\S-1-5-21-132656071-2218712632-614148903-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load: “C:\\Users\\<username>\\AppData\\Roaming\\winlogon\\winlogon.exe.lnk”

Indicators of compromise<\/strong>

All files<\/strong>

\u2022    25640ca48d3fbfd7e070b7685c053b51

\u2022    df145cc72ceb0db5881ed33961e678b9

\u2022    9d9d45a925cec55f0b7456cf82c30f08

\u2022    74e3f9da2862e544a1561af43a99da77

\u2022    47d469fdff50ba8df9d474343896d27c

Command and Control<\/strong>

The below IP addresses and URL were contacted, indicating the malware\u2019s C&C servers:

\u2022    42.202.71.145

\u2022    41.207.196.84

\u2022    185.82.216.57:5254

ajam62[.]hopto[.]org

Registries added<\/strong>

HKU\\S-1-5-21-132656071-2218712632-614148903-1000\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load: “C:\\Users\\<username>\\AppData\\Roaming\\winlogon\\winlogon.exe.lnk”

Prevention <\/strong>

In addition to the fundamental basics (keep operating systems patched, security licenses updated and don\u2019t open suspicious email attachments), users should disable Autorun to prevent any external devices from automatically executing and enforce file sharing protection policies. <\/p>\n","protected":false},"excerpt":{"rendered":"

Earlier this year, the creator of the Nanocore Remote Access Trojan (RAT), Taylor Huddleston, pled guilty to aiding and abetting computer intrusions by selling his creation online for as little as $25. He’s due for sentencing later this week and faces up 10 years in prison.  As an interesting side note, before pleading guilty Huddleston’s […]<\/p>\n","protected":false},"author":1,"featured_media":2745,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2738","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2738","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2738"}],"version-history":[{"count":6,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2738\/revisions"}],"predecessor-version":[{"id":4308,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2738\/revisions\/4308"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2745"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2738"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2738"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2738"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}