NanoCore RAT

The NanoCore RAT is a threatening remote access Trojan that was recently leaked to the public in its full version. This leaked full version was recently used in attacks targeting energy companies. The NanoCore RAT has been used in attacks throughout the world, but mostly focused on the United States and Canada. A full version of the NanoCore RAT was leaked to the plug-in recently. This full version of the NanoCore RAT included premium plug-ins, giving the NanoCore RAT advanced functionality that would normally have been behind a pay wall. Malware researchers have seen the NanoCore RAT used in targeted attacks on energy companies after the NanoCore RAT was leaked in early March of 2015.

The Origin and Evolution of the NanoCore RAT

Cybercrooks first started to develop the NanoCore RAT in 2013. Since its early development periods, variants of the NanoCore RAT have been leaked to the public. In fact, leaks of the NanoCore RAT occurred even when the NanoCore RAT was still in the alpha stages of development. The first free available versions of the NanoCore RAT on underground forums were released when the NanoCore RAT was in its alpha stage, around December of 2013. In that period, the NanoCore RAT still lacked full functionality, and many of its most important features had not been integrated into the latest release. Since that time, four other version, all from the beta development stage, were leaked. The NanoCore RAT leaks have come from a variety of sources. The latest leak of the NanoCore RAT is the fully functional the NanoCore RAT build 1.2.2.0, which was released on numerous underground websites in March of 2015. Unlike more threatening RATs, the NanoCore RAT is not particularly expensive and is located in the lower pricing end. The price for the NanoCore RAT is around $25 USD of €23 Euro per copy.

PC security researchers have tracked activities related to the NanoCore RAT from the beginning of its development. Unfortunately, as soon as the NanoCore RAT became freely available to the public, detections of this threat infection in the wild increased substantially. Targeted attacks involving the NanoCore RAT began on March 6. These attacks were aimed at energy companies in the Middle East and Asia. However, the United States is still the country with the highest rates of the NanoCore RAT infections, with Canada in second place. Phishing attacks involving the NanoCore RAT use social engineering tactics to convince inexperienced computer users to open the phishing email messages involved. These emails spoof the email address of a South Korean oil company as part of their ruse.

How the NanoCore RAT is Used to Attack a Computer

The NanoCore RAT in these tactics is delivered using a corrupted RTF or Microsoft Word file. This file takes advantage of a well-known vulnerability, CVE-2012-0158. This is a vulnerability in Microsoft Windows Common Controls ActiveX component MSCOMCTL.OCX, which appears in some of this company's older software. Some example of software vulnerable to this exploit includes SQL Server 2008 and versions of Microsoft Office released on 2010 and earlier. This text file claims to contain revisions to a contract. It has a carefully crafted subject line and body that tempts computer users into opening the document. By opening it, it results in the NanoCore RAT infection.

The Danger of the NanoCore RAT being Available to the Public

Unfortunately, now lesser experienced hackers and online third parties have access to the NanoCore RAT. Before, gaining access to the NanoCore RAT required paying for the service and accessing darker corners of the Web that are not readily available. It also implied a higher degree of computer knowledge. Now that the NanoCore RAT is freely available, pranksters and lesser experienced hookers (often known as 'script kiddies') may now use this threat infection to carry out their own attacks, leading to a higher incidence of infections which may be more difficult to contain.