NanoCore

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
NanoCore is a notorious Remote Access Trojan (RAT) that was first discovered in 2013 and primarily targets users of the Windows operating system. This malicious software infiltrates systems, often without the user's knowledge, through suspicious downloads, emails, or websites, opening a backdoor on an infected computer to steal information. It has been used in conjunction with other malware such as Cobalt Strike, BumbleBee, IcedID, Meterpreter, and Remcos. In some instances, it has been observed to download encoded data from the "nanoshield.pro/files" URL, reverse the data, replace the specific string "DgTre," and employ "RegAsm" to proxy the execution of NanoCore. In December, a novel .NET injector delivered the BunnyLoader payload as a follow-up to a Nanocore infection. The final payload of this attack is a dropper Trojan that installs the NanoCore RAT, known as Win.Dropper.Nanocore-10011208-0. Additionally, GuLoader was also seen deploying NanoCore and Remcos during this attack scenario. The downloaded plugin files from the C2 server included VenomRAT version 6, Remcos, XWorm, NanoCore, and a stealer specifically designed for crypto wallets. Despite its longevity, NanoCore remains a significant threat, maintaining a top five position for six consecutive months and taking the third spot in December. It had a global impact of 1%, following FakeUpdates and Formbook which were the most prevalent malwares impacting 2% of worldwide organizations. Other new entries in the malware scene included Ramnit and Glupteba. Tools like SYK Crypter have been employed to distribute a wide variety of malware families, including NanoCore RAT, further emphasizing the widespread use and adaptability of this malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Rat
Malware
Trojan
Payload
Crypter
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
RedlineUnspecified
3
Uncovered in March 2020, RedLine is a notorious malware designed to steal sensitive information such as credentials, cryptocurrency wallets, and financial data. It has been used extensively by threat actors, making it the most prominent 'stealer' malware, responsible for nearly half of all stolen pa
njRATUnspecified
2
NjRAT is a malicious software, or malware, that has been used in both criminal and targeted attacks since 2013. This remote-access Trojan (RAT) is capable of identifying remote hosts on connected networks (T1018) and detecting if the victim system has a camera during the initial infection (T1120). I
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the NanoCore Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails
MITRE
a year ago
The NanoCore RAT Has Resurfaced From the Sewers - Cofense
MITRE
a year ago
The Gorgon Group: Slithering Between Nation State and Cybercrime
Fortinet
a month ago
ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins | FortiGuard Labs
Recorded Future
a year ago
2022 Adversary Infrastructure Report
CERT-EU
4 months ago
December 2023's Most Wanted Malware : The Resurgence of Qbot and FakeUpdates – Global Security Mag Online
CERT-EU
a year ago
Threat Roundup for June 9 to June 16
CERT-EU
a year ago
Threat Roundup for June 2 to June 9
CERT-EU
7 months ago
Threat Roundup for October 13 to October 20
MITRE
a year ago
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
CERT-EU
10 months ago
New Attack Drops LokiBot Malware Via Malicious Macros in Word Docs
CERT-EU
a year ago
Νέα Έκδοση του Guloader Παραδίδει Κρυπτογραφημένα Cloud-Based Payloads
Fortinet
9 months ago
Attackers Distribute Malware via Freeze.rs And SYK Crypter | FortiGuard Labs
Secureworks
a year ago
DarkTortilla Malware Analysis
CERT-EU
9 months ago
New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks
Unit42
2 months ago
Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled