Kill Chain Analysis
Fig. 1 Kill Chain
In this spam email campaign, threat actors bait French-speaking users to open a PDF attachment through a fake bank loan offer.
Fig. 2 Spam mail in French with attached malicious PDF
Google Drive has its own security measures and scans a requested file for viruses before the file is downloaded or shared. Below is the image shown by Google Drive for shared links that are flagged as malicious.
Fig. 4 Google Drive shared link flagged as malicious
In our analysis, however, for some reason the infected file wasn’t detected as malicious, making it an effective attack vector. The downloaded file is an HTA with a VBScript that decodes the embedded binary payload, which is then written to the user’s %TEMP% and executed. After further investigation, the payload was found out to be NanoCore RAT (Remote Administration Tool).
Fig. 5 HTA with embedded binary payload
NanoCore is not a new name in the RAT industry. With a price tag of US$25, NanoCore has been in circulation since as early as 2013 according to some reports. RATs have been hanging in that delicate balance between surveillance and theft, or between simply being an administration tool and an arsenal for cybercrime. As a case in point, it has been reported that NanoCore’s author has pled guilty to selling the tool to cybercriminals. This has not stopped crooks from distributing it however, especially since cracked versions of the tool’s builder are being distributed in hacking forums for free.
Fig. 6 Decompiled NanoCore client
Remote control, file manipulations, download-execute, and password retrievers are just some of the capabilities that NanoCore offers to whoever gets their hands on the builder. Below is a screenshot of a cracked version of the latest NanoCore Builder (188.8.131.52), which was released way back in 2015.
Fig. 7 Cracked version of NanoCore (184.108.40.206 builder)
- FortiMail blocks all spam emails.
- FortiGuard Antivirus service detects all related samples. (see IOC)
- FortiGuard Webfilter service blocks and tags the download URL and C&C as malicious.
*Download URL has been reported to Google Drive.
Focusing on intrinsic details such as the filename and the download site’s reputation, threat actors continue to use creative ways to gain the trust of users. As shown in this article, this campaign abuses the reputation of Google Drive to deliver a malware, which also includes its own techniques to evade basic security measures.
Furthermore, it seems clear that the case of a RAT developer being found guilty of aiding cybercriminals has not affected the credentials of similar applications circulating in the security industry. And with cracked versions of the tool being accessible to all, along with all the potential benefits of a free administration tool, some curious minds are certain to take the bait. As a result, we are giving the same advice for NanoCore that we did in our previous Ozone RAT article. Not only is its distribution a free ticket to jail, there are scammers out there baiting users with “cracked versions” of the builder, which might turn out to be trojanized or the malware client itself.
-= FortiGuard Lion Team =-
3f4541fd800b71b1cfc25b665174e8ba7f1ef2c467e124252fea408598d89a65 – PDF/Dloader.GD!tr
cce86a03876eac85f779fa248d86ecaea6aecef9a783a58899f5ea3ed3b8c857 – MSIL/Nanocore.BT!tr
d547a836f83e166be6c1e639c61889bdbcf429a9b1ea50a45e2f51e80a2eff31 – VBS/Dropper.GD!tr
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.Fortigate is an enterprise network security appliance that works with Cloud Bare Metal. Fortigate licenses sold separately.