Nanocore RAT Detection

Nanocore RAT has been used in cyberattacks for about 7 years, and there are a huge number of modifications of this trojan. Official, “semi-official” and cracked versions of this malware are sold on forums on the DarkNet, and sometimes even given away for free, so it is not surprising that the number of attacks using it remains high. 

The design of Nanocore RAT is focused on ease-of-use means, so even unskilled adversaries can carry out full-fledged malicious campaigns. The trojan has a wide range of capabilities for espionage and remote control of the system, it provides full access to the infected system, and also allows adversaries to record audio and video, perform keylogging, collect credentials and other personal information.

NanoCore RAT comes with base plugins that expand the performance capability of the malware and allow threat actors to do just about anything they want to once they gain complete, anonymous control over infected systems. 

The exclusive Sigma rule “NanoCore detection” is one of the very first contributions of Aytek Aytemur who has recently joined the Threat Bounty Program: https://tdm.socprime.com/tdm/info/VGdb6whemVdv/3XiVWHQBPeJ4_8xcGSSx/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Execution, Persistence, Privilege Escalation

Techniques: Scheduled Task (T1053)

 

 

Check more content by Threat Bounty Program developers to spot NanoCore:

NanoCore Rat Detection (Persistence via schtasks) by Emir Erdogan

 

Nanocore behavior (Powershell Detection) by Ariel Millahuel



Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.