The NanoCore Remote Access Trojan (RAT) is being spread through malicious documents and uses an interesting technique to keep its process running and prevent victims from manually killing the system, researchers say.
The cybersecurity team from Fortinet recently captured a sample relating to the spread of NanoCore RAT in the form of a malicious Microsoft Word document.
Developed in the .Net framework under an author known as "Taylor Huddleston," the Trojan has landed its operator in jail for peddling the malware on underground forums.
While the Arkansas man is due to serve close to three years in prison, his legacy continues on in the wild without his influence.
The malicious document, "eml_-_PO20180921.doc," is spread via phishing campaigns and contains auto-executable malicious, obfuscated VBA code which initiates the Trojan.
If opened, the document contains a security warning at the top informing the would-be victim that macros have been disabled, but should that individual click "enable content," the infection process begins.
According to Fortinet, the NanoCore Trojan, in its latest 184.108.40.206 version, is downloaded from the wwpdubai.com domain as part of an .exe file which is then saved in a Windows temporary folder.
The file, CUVJN.exe, calls a daemon process. However, before this process begins, the executable will check to see if the process already exists and whether or not Avast antivirus software is running.
If the infected system passes these checks, the code will then extract an archive within the executable and retrieve a PE file which is the actual NanoCore RAT.
Two processes will be running at this stage; Netprotocol.exe, which is a copy of CUVJN.exe and is the daemon designed to unzip NanoCore, alongside dll.exe, which is a very interesting daemon process in itself.
Dll.exe is designed to keep the Trojan running. The process starts netprotocol.exe, injects NanoCore into memory, and runs the code. One of the process' classes is called "ProtectMe" with a function "ProtectMe.Protect()" which prevents the process from being killed off by the victim.
During testing, Fortinet researchers could not kill the netprotocol.exe process at all -- despite it not being a system service or containing higher privileges than the user.
It turns out that the process uses a function called ZwSetInformationProcess, from NTDLL.dll, is able to modify the state of the process and prevent it from being disabled.
"There is a function named "RunPE.doIt()" that is used to run and protect the NanoCore RAT client. It calls the API CreateProcessA to start a new "netprotocol.exe" and then suspends it," the researchers say. "Next, it allocates memory in the new "netprotocol.exe" and puts the entire NanoCore into the newly allocated memory using the API WriteProcessMemory. Finally, it modifies the entry point of the thread context to NanoCore's entry point and resumes NanoCore running inside the second "netprotocol.exe" by calling the API ResumeThread."
First discovered in 2013, NanoCore is a rather nasty piece of malware which is able to perform a variety of functions. These include a keylogger, a password stealer which can remotely pass along data to the malware's operator, the ability to tamper with and view footage from webcams, screen locking, the download and theft of files, and more.
The latest version of the Trojan was released in 2015 with premium plugins included, before the arrest of the operator in 2016.