NanoCore Malware is a RAT that has become popular in recent years as it is commonly used by threat actors and is believed to be one of the most sophisticated RATs in the market. Since it was discovered in 2013, multiple different versions have been leaked on underground forums. The latest leaked version was 1.2.2.0 in March 2015 and is available online to download for free. NanoCore RAT comes with a few base plugins and the ability to expand its functionality, so threat actors can develop additional features for other malicious actions. There is already a wide range of NanoCore plugins available online that can be used for cryptocurrency mining, ransomware attacks, and more.
The first thing to notice is its obfuscation, which is similar to the main script. After spending a significant amount of time on de-obfuscation, we were able to find some interesting items inside. The script starts with declared global variables, some of which are dword values for registry checks and modifications. Others are for the values obtained from the configuration file. We also noticed that it has some unused variables that might just be included for use in later versions. As soon as this script is triggered, it sets the attributes of files in that current directory to read-only and hidden, just like the previous script. The script then performs different checks and makes modifications to system configuration and registry values. It checks if it is running inside virtual machines or sandboxed applications and if so, it terminates. Otherwise, it disables UAC, system restore points, and task manager and then adds a Windows Update key to the registry and startup for persistency. Finally, if the config file has a URL, it downloads the payload from there. If the config file has raw PE data, it gets a payload from there and injects it into the process memory of RegSvcs.exe using the RunPE technique.
Download NanoCore RAT 1.2.2.0 Full Version Free
Free always beats cheapRATs sold on underground forums can vary in price, ranging anywhere from US$25 to $250. In recent years the security community has seen plenty of new RATs come and go but where things always get dirty is when a cracked version of a RAT is leaked online for free. When this happens, usage of the RAT increases; cybercriminals are (arguably) human after all and love to get things for free. The NanoCore RAT has been around for a while now and was cheap to begin with; you can get the full version for just US$25. Add to this the fact that various versions of NanoCore have been leaked in the past and you can be sure this will grab the attention of people looking to get their hands on a free remote access Trojan.
It seems that every time the author tries to develop and improve NanoCore, one of the customers invariably ends up leaking a copy of it for free. This surely has to be a major disincentive for the original developer but they seem to possess endless optimism and persist to create new versions with enhanced capabilities, maybe in the hope that eventually enough customers will pay.
We can see from the graph shown in Figure 2 that following the leak of a version of NanoCore, there is an obvious increase in our detections of the RAT. This can be seen following the multiple leaks of version 1.0.3.0 in March and April, version 1.1.0.7 in July and August, version 1.1.0.10 in October, and finally the most recent leak of version 1.2.2.0 in March.
NanoCore targets the energy sectorEarlier this month, the full version of NanoCore (1.2.2.0) was leaked, which again resulted in an increase of its usage in both targeted and non-targeted attacks. The RAT is being distributed through malicious emails in most instances. One example we came across of NanoCore being used in a targeted attack involved a spam run that started on March 6. The targeted emails are being sent to energy companies in Asia and the Middle East and the cybercriminals behind the attack are spoofing the email address of a legitimate oil company in South Korea. Attached to the email is a malicious RTF file that exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) and drops Trojan.Nancrat.
Remote control, file manipulations, download-execute, and password retrievers are just some of the capabilities that NanoCore offers to whoever gets their hands on the builder. Below is a screenshot of a cracked version of the latest NanoCore Builder (1.2.2.0), which was released way back in 2015.
It comes with the best features that allow the user to access a remote computer system as an administrator. The Nano core RAT latest version 1.2.2.0 comes in free and is available for download. The developer of NanoCore was arrested by the FBI and was pleased to be guilty in 2017 for developing such a malicious privacy threat. He was sentenced to prison for almost 33 months.
A new version of this infamous RAT, dubbed NanoCore version 1.2.2 has resurfaced on the dark web. For $25 a special kit is being sold which comes with a free release. As it comes at a lower price it allows even a broken criminal to launch effective attacks.
NanoCore is a commodity trojan developed in the .NET framework. According to Symantec, a fully cracked version of NanoCore 1.2.2.0 with premium plugins was released around March 2015 and has been seen targeting the energy sector. This release caused NanoCore to become increasingly popular with adversaries, especially the more frugal ones. Around April 2015 we observed a rise in activity involving NanoCore. We have observed its incorporation into tax-themed phishing since June 2015 and are continuing to see a general increase in activity since then. Below shows the upward trend Palo Alto Networks has seen in NanoCoreRAT being distributed since September 2014.
Extracting the configuration information from the Nanocore clients samples associated with this campaign showed us they are using version 1.2.2.0, which is a leaked version with an Oct. 26, 2021 build date. The C2 server used is mback5338[.]duckdns[.]org, listening on the TCP port 7632. The build date correlates with the possible start of the campaign.
DuckDNS is a free dynamic DNS service providing a public DNS server service allowing the user to create subdomains and maintain the records using the DuckDNS scripts. The actor has created malicious DuckDNS subdomains to deliver malware in this campaign. Some of the actor-controlled malicious subdomains resolve to the download server on Azure Cloud while others resolve to the servers operated as C2 for the remote access trojan payloads.
The malware went through at least four beta versions after that before the full version (1.2.2.0) finally made an appearance. That version was also eventually cracked and leaked online, which resulted in an increase in targeted and non-targeted attacks using the tool in March of last year.
The NanoCore RAT is a threatening remote access Trojan that was recently leaked to the public in its full version. This leaked full version was recently used in attacks targeting energy companies. The NanoCore RAT has been used in attacks throughout the world, but mostly focused on the United States and Canada. A full version of the NanoCore RAT was leaked to the plug-in recently. This full version of the NanoCore RAT included premium plug-ins, giving the NanoCore RAT advanced functionality that would normally have been behind a pay wall. Malware researchers have seen the NanoCore RAT used in targeted attacks on energy companies after the NanoCore RAT was leaked in early March of 2015.
The NanoCore RAT in these tactics is delivered using a corrupted RTF or Microsoft Word file. This file takes advantage of a well-known vulnerability, CVE-2012-0158. This is a vulnerability in Microsoft Windows Common Controls ActiveX component MSCOMCTL.OCX, which appears in some of this company's older software. Some example of software vulnerable to this exploit includes SQL Server 2008 and versions of Microsoft Office released on 2010 and earlier. This text file claims to contain revisions to a contract. It has a carefully crafted subject line and body that tempts computer users into opening the document. By opening it, it results in the NanoCore RAT infection.
According to researchers at Fortinet, the version of NanoCore used in the sample is version 1.2.2.0, first launched in 2015, and is downloaded from the domain wwpdubai.com. It is then saved in the Windows temporary folder as a .exe file. Before the malware goes any further it checks to see if there is already a version of NanoCore on the computer and if a version of Avast antivirus is installed. If both conditions are answered in the negative the code will then extract an archive within the executable and retrieve another file which is the actual NanoCore RAT.
Initially sold cheaply on forums the first cracked versions of NanoCore emerged in 2013. Originally been sold for 25 USD was it leaked and was cracked it now become free to any looking to leverage the malware. Proving free is almost always better than cheap and that there is little honor among thieves simultaneously. The first leaked version was nothing to write home about with very few capabilities enabled. By February 2014, a beta version with more capabilities was released. Some after that the source code was leaked and now free to use. Throughout 2014 a tug of war occurred with the malware author and those leaking the code. In March 2015, version 1.2.2.0 was leaked to the hacking public. This was to be the last version released and the one used in the most recent campaign analyzed by Fortinet.
Despite there been no subsequent versions, 1.2.2.0 is still a nasty piece of code. Not only, as seen above, is the malware capable of resisting attempts to kill processes, it also boasted many desirable features and capabilities including: 2ff7e9595c