The unique methodology makes the Nanocore virus a dangerous threat that uses cunning ways and disguises itself to carry out the criminal deeds that the virus has been programmed to do.
To hide its presence for a long time, the virus will disable the work of existing anti-virus programs, Windows Firewall, and other security programs. In fact, the virus generates warning notices or error messages when you try to install applications or software with the latest version.
The threat will install malicious payloads and a registry editor that will start working as soon as you restart the system.
The virus can also spy on you, steal your files, and even blackmail you. If they choose, they can turn your device into a bot machine.
How is this Trojan virus spread?
In the famous Greek myth, the wooden Trojan horse is associated with the war in the city of Troy, this computer threat that we are discussing pretends to be a harmless file, or an interesting offer, the purpose of which is to arouse the victim’s curiosity and make them click on the malware.
It is typical for Trojan viruses such as Nanocore to be hidden, thereby inadvertently forcing users to navigate to other sites, infecting them. In most cases, these viruses are spread through spam emails and infected attachments, malicious links and fake pop-up notifications, links, torrents, and infected web pages.
Basically, you will find the Nanocore virus bundled in free software, which could be a potential way for other similar ransomware viruses to be transmitted.
The Remote Administration Tool disables every component, be it an external device or an internal one. When a user tries to access important files, the files are not accessible because they are infected.
You can change system settings without manual direction, and you can also reconfigure the editor or Windows registry keys. In addition, a virus can disable a running antivirus program, which will create even more security problems.
The user should not click on pop-up notifications that are related to third-party sites or dubious people. You may lose personal data and files. Therefore, it is recommended to remove the Nanocore virus from the computer as soon as possible.
How did I get infected with the Nanocore Trojan virus?
The Nanocore Trojan virus is usually spread through spam emails with infected attachments. What happens when you receive this: The email will include a header from the police department, your bank, or the local post office.
The case seems to be urgent, and you open the letter. The letter has an attached file, but should I open it? Fortunately, the email provides a hyperlink that includes additional information.
Don’t click on it because it might be infected too, or they might redirect you to infected sites. The Internet is generally a dangerous place. Compare all email addresses with where you received the email from. If they don’t match, delete them. Also, when you open the email, pay attention to the red flag.
A trusted company will use your name when sending an email. If the letter begins with “Dear friend”, “Hello everyone”, or “Dear client” – proceed with caution. Another way of distribution is through downloads, infected programs, and advertising. Only your vigilance and attention can help you keep your computer safe.
History of Nanocore
The author of the popular Nanocore virus was found out only recently, it turned out to be a certain Taylor Huddleston. He admitted to creating this malware, which is being used by other scammers to infect countless computer users around the world to steal data and secretly monitor unsuspecting victims.
Hiddleston created Nanocore, a remote access virus, and Net Seal, licensed software, according to court documents. He created Net Seal in 2012 and Nanocore in 2014.
To take action against this hacker, the FBI arrested and charged Huddleston earlier this year. The suspect said that he never wanted his program to be abused by scammers.
He said he started coding Net Seal in late 2012 as a way to prove himself. Net Seal has become a popular program that companies have started to develop to prevent users from using copies of the application so that they become illegal.
After the success of Net Seal and after encountering hackers, Hiddleston’s next step was to develop Nanocore, an application that he said was a remote computer access program, and naturally included all the features of such a program, such as keyloggers, turning on the computer screen without knowledge of the user, DoS attacks or blocking of the entire PC. Very little time has passed before
Huddleston disputes the allegations
Huddleston’s main defense was that he never wanted his software to be used for malicious purposes, using the classic phrase “weapons don’t kill, people do.”
Some took Hiddleston’s side. On July 25, the US Department of Justice signed a factual statement confirming his guilt and stating that “he wanted his program to be used for malicious purposes.”
According to the signed document, the authorities had evidence that Hiddleston knew that his program was designed for malicious purposes, but instead of contacting the authorities, he supported the authors of the malware. Huddleston’s hearing was rescheduled for 8 December. He could get 10 years in prison.
Download the recommended Free Malware Removal Tool by clicking on the given link:
Tips for preventing your system from getting infected with all viruses and malware:
- Turn on your pop-up blocker: Pop-ups and ads are the most commonly used tactic by cybercriminals and developers with the intention of spreading malware. Therefore, avoid questionable sites, software, pop-ups, etc. Install a powerful ad blocker for Chrome, Mozilla, and Internet Explorer.
- Don’t forget to keep your Windows up to date: to avoid such infections, we recommend keeping your system up to date via automatic Windows Updates. This way your system can avoid virus infections. According to the survey, outdated/older versions of the Windows operating system are more susceptible to virus infections.
- Third-party installation: Try to avoid free software download sites as they usually bundle the software with other installations and stub files.
- Regular backups: Regular and periodic backups help you keep your data safe in the event of a virus or any other infection. Thus, save your important files to your cloud drive or external hard drive regularly.
- Always use an antivirus: Precaution is always better than cure. We recommend installing ITL Total Security antivirus or Malware Removal Tool for example Download Virus RemovalTool
Remote control Sample analysis NanoCore RAT
NanoCore RAT is a well-known remote control software developed in the .Net environment. Various means are used to distribute this software in a network environment. Sometimes it is designed to effectively bypass anti-virus software and update functional modules through Hacker Favorite, and collect relevant samples from honeypots for further analysis.
The client presents an online notification displaying information about the host:
Online customer notification
Advanced functions are expanded, keyboard monitoring, live video operation, voice, command-line control, etc., fully control the remote host.
Module Plugin
One key client generation is very convenient, configuring the corresponding host port, DNS, icon, etc. to
Create a client in one click
Determining the behavior of the Virustotal platform:
The detection of platform behavior by Virustotal 39/54 basically regarded it as malware.
Tinder Sword detects the release of PE files, performs a self-copy, and creates autoload items.
Just extract and analyze C\program Files\WAN Service\wansv.exe in the folder. This time we will not analyze directly, because this example uses a puppet process, and in order to better understand the principle of the puppet process, a detailed analysis of the flow of execution of the original program is carried out.
There is a re-creation process, a launch process.
The principle of implementation of the puppet process
1. from CreateProcess Create process, pass parameters CREATE_SUSPENDED Suspend process
2. from NtUnmapViewOfSection Clear new process memory data
3. from VirtualAllocEx Request new memory
4. from WriteProcessMemory Write to memory payload
5. from SetThreadContext Set entry point
6. from the ResumeThread Wake-up process, execute the payload
Puppet Process Dump
Execute the following break-in CreateProcessW.
Once setThreadContext is run, it moves on to the next step and PChunter unloads the puppet process.
A program that comes out of Dump UPX packages. After shelling, the NanoCore client program is loaded into the resource. Continue uploading the file.
VirtualAlloc can see the amount of space requested for the PE file loaded by the resource.
Loading a resource calls load resource.
The Dump program is a .NET program written in C#.
DnSpy was decompiled and turned out to be a NanoCore client. The client created by NanoCore only needs to check the host connected to the Socket.
IP191.101.22.13, port 4110. To
Change the IP to this machine. Start the NanoCore server and create port 4110. Start the server. Perform remote monitoring.
