Malware is getting more and more sophisticated, especially when it comes to covering its tracks. Every day, we see modern malware employing innovative code-hiding techniques including obfuscation, bundling and infiltration — making the job of executable analysis engines that come with anti-virus and sandbox tools almost impossible.
SlashNext recently discovered a new variant of NanoCore RAT that was using an interesting trick by packaging four of its executable components inside a single binary archive…without leaving a trace on the hard disk.
This NanoCore variant was discovered on a malicious website serving a GoogleDrive phishing page. The directory structure of the Command & Control server was not secured, providing full access to all of the artifacts hosted on this server, including a .zip file containing the NanoCore binary.
For complete details about the phishing scam, check out our previous blog:
When Malware alone is not enough
It’s very common to find multiple types of malicious artifacts hosted on the same infrastructure. Hackers will often launch multiple attacks simultaneously against their victims hoping that at least one of them will succeed. This is a great example of how this malware variant was activated:
The malware file was named as “invoice.exe.” Here is the sequence of events once it starts running:
1. It loads a .png file called “7” in byte array from resources directory, which hides an encoded executable (dll.exe) and a 16 bytes key to decode it.
- Each pixel (R, B, G) in “7.png” contains three values and its dimension is 288×288
- “7.png” is read reverse column-wise and the value of each color in a pixel is appended in byte array
- First four bytes are ignored
- Next 16 bytes are extracted as key to XOR with remaining bytes of array
- The resulting byte array contains “dll.exe”
The code snippet below shows the executable’s (dll.exe) decoding process using 16 bytes key and XOR operation:
2. “dll.exe” is invoked directly from memory. This executable is responsible for later actions. Here is how it works:
- It creates file “Filename.exe” in “%UserProfile%\AppData\Roaming\Microsoft\Windows\DwiDesk\” and writes code of “invoice.exe” to “Filename.exe”, and it also creates a shortcut named “Filename.lnk” in the same directory
- It then invokes two legitimate Windows programs: MSBuild.exe & RegAsm.exe
- It extracts three resource files: M, persistance source and R from the resource directory
3. It now invokes two instances of “RPe.exe”
- One with arguments (i) “MSBuild.exe” path (ii) “NanoCoreRAT.exe” assembly
- Second with arguments (i) “RegAsm.exe” path (ii) “pw.exe” assembly
4. The first instance of “RPe.exe” injects code of “pw.exe” into process space of “RegAsm.exe” and the second instance injects NanoCoreRAT code into “MSBuild.exe”
5. Now “pw.exe” is running behind the mask of “RegAsm.exe” and constantly monitors the existence of “Filename.exe” process. As soon as it encounters that “Filename.exe” has been stopped by any means, it reinvokes “Filename.exe”
6. Now “NanoCoreRAT.exe” is running inside “MSBuild.exe”
7. It copies itself in “%appdata%/Roaming/GUID/” with a randomly chosen name
8. It creates a startup entry to get persistence
Note: dslhost.exe is actually a “NanoCoreRAT.exe” replica
9. From this point, “NanoCoreRAT” is running inside “MSBuild.exe” and communicates with 220.127.116.11:1989 over TCP.
Note: Only “Filename.exe” is visible in procmon because all other processes are executed in memory using In-Memory-Execution technique
Cleaning Systems from NanoCoreRAT
Since the “RegAsm” process is constantly checking to ensure “Filename.exe” is running, killing the “Filename.exe” process alone is useless. To ensure full removal:
1. Suspend all three processes: Filename.exe, MSbuild and RegAsm, as well as related/child processes, and then kill them all together.
2. Remove the following two directories and their contents:
3. In the “Startup” programs list in Task Manager: delete or disable both the “Filename.exe” and the “%appdata%/Roaming/GUID/[random_name].exe” entries.
4. Restart your system.
- 734910456c43436d0725ec6a13784161466097d751a91f4a4c465ce7c7bc1645 invoice.exe/Filename.exe
- beb4307d5ba3c6e209889b4bb5967dffa9cf1ca9af9eed15754e053de3321a95 dll.exe
- eb38719a61c56faf8a57eb5b8dbf7b2b4ed7a047b399713e3cc87bc4423b1be8 RPe.exe
- 8e3e9fe816ab536c42d3afa009e9e1678dcd7d5838473fe056bf2440e0d14ad1 pw.exe
- ef2cab9a06f7c7c462eb100c66a589b89f4bd746f4afbcc8dab25686918f207a NanoCoreRAT.exe
- %UserProfile%\AppData\Roaming\2875FAE0-D4B0-40A9-B3B4-76BF0563ACA6\AGP Service\[random-name].exe
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run=”c:\users\[username]\appdata\roaming\9bc79ecb-e94e-4db2-bd38-4950445a4f10\dsl host\dslhost.exe”
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce = “c:\users\[username]\appdata\roaming\microsoft\windows\dwidesk\filename.lnk”
It’s very clear that the rules of the game are changing. Hackers now completely understand that targeting their victims with just one type of attack is not enough. In this case, threat actors were using a combination of a credential stealing and advanced malware at the same to make sure if one type of attacks fails, the next one succeeds.
Like the Anthem and DNC breaches, phishing paved the way for the expansion into massive attacks and we will continue to see more like those until IT teams recognize that an internet defense which relies on traditional malware and exploit protection will simply not be enough against these new methods of malware-free attacks.