NanoCore
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.(Citation: Cofense NanoCore Mar 2018) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
NanoCore can open a remote command-line interface and execute commands.(Citation: PaloAlto NanoCore Feb 2016) NanoCore uses JavaScript files.(Citation: Cofense NanoCore Mar 2018) |
.005 | Command and Scripting Interpreter: Visual Basic |
NanoCore uses VBS files.(Citation: Cofense NanoCore Mar 2018) |
||
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
NanoCore uses DES to encrypt the C2 traffic.(Citation: PaloAlto NanoCore Feb 2016) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
NanoCore can modify the victim's anti-virus.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016) |
.004 | Impair Defenses: Disable or Modify System Firewall |
NanoCore can modify the victim's firewall.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
NanoCore can perform keylogging on the victim’s machine.(Citation: PaloAlto NanoCore Feb 2016) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0064 | APT33 |
(Citation: FireEye APT33 Webinar Sept 2017) |
G0083 | SilverTerrier |
(Citation: Unit42 SilverTerrier 2018) |
G0078 | Gorgon Group |
(Citation: Unit 42 Gorgon Group Aug 2018) |
G0043 | Group5 |
(Citation: Citizen Lab Group5) |
References
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
- Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024.
- The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
- Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.