Attackers do not always have to use newly developed malicious codes. If it seems appropriate to them, they often also use proven malware for their purposes. In that case, it is obviously very important to choose the distribution path in such a way that the malicious software can be placed without the victim noticing. We took a closer look at such an approach using the example of NanoCore.


NanoCore is a Remote Access Trojan, which has been available in various versions as a relatively inexpensive finished product since 2013. Remote Access Trojans are a very dangerous type of malware that allows attackers to remotely control and monitor infected systems. In 2015, the full version and all plugins of NanoCore was cracked and has been available for free in underground forums ever since.



The developer of NanoCore was arrested last year and sentenced to 3 years imprisonment . This case is of particular importance, since it was the first time a developer of a dual-use tool, who did not use the tool “for personal use” for hacking, was convicted. Crucial to the conviction was the fact that the developer had offered the software in hacker forums even though he knew that some of his customers would use the tool for illegal purposes.   NanoCore has still not gone out of style and continues to be up to no good. However, because the tool is very well-analyzed and therefore easily detectable by antivirus products, the attackers often have to be creative to deliver the Trojan. For this reason, they come up with elaborate concealment methods.   Last week, we witnessed a cyber-attack with NanoCore, which creatively combined various techniques to deliver and install the Remote Access Trojan. To do this, the attackers used a combination of phishing, a self-extracting Winrar archive, and the legitimate AutoIT administration tool.  

Delivery via phishing mail

  The initial phishing mail tricks the recipient into a special business offer, which is supposed to be included in an enclosed PDF called “inquiry.pdf”. The email tries to be more convincing by using the complete contact information. Since this information is often real, we have blackened it in the screenshot below.  
Example of a phishing mail

Example of a phishing mail

  The attached phishing PDF looks like a link to Dropbox but includes a URL that downloads an archive file from another source.  
Fake Dropbox-Seite zu Malware-Link

Fake Dropbox page to malware link

  This “” ZIP archive contains the file “inquiry.scr”. The file extension “scr” is only an alternative to “exe” and was formerly used for executable PE files that install screensavers. In this case, it is a self-extracting Winrar archive that is being misused as a malware dropper.  

Use of a self-extracting archive

  The strings contained in the file show that the scr file is a self-extracting Winrar archive. Significant strings include:  
  • SoftwareWinRAR SFX
  • winrarsfxmappingfile.tmp
  • WinRAR self-extracting archive
  The archive could not be extracted manually without error. Only an execution of the file shows the undamaged content of the archive, consisting of:  
  • 42 randomly named files with different endings, which are only about 500 bytes in size and contain ASCII data
  • The legitimate administration tool AutoIT, renamed as “mta.exe”
  • An ASCII file “qoa.docx” that is 951K in size and contains the configuration for AutoIT
  • • An ASCII file “stt = dsr” that is 3MB in size and contains an obfuscated script in the AutoIT native VBA-like scripting language
  In August 2015, TALOS reported a similar attack that used the combination of a self-extracting archive with AutoIT to distribute NanoCore. Since this attack had even more similarities to the attack we observed, we suggest a link between these incidents. For example, the attack stops for 20 seconds once a running Avast process is detected. In 2015, however, an office macro was used in the phishing mail, while in this case a PDF was used. There are also differences in the payloads delivered, such as the delivery of additional malware in the 2015 Talos attack.  

Attackers abuse automation tool AutoIT

  AutoIT is a legal tool , used to automate administrative tasks. It provides its own scripting language, which is based on VBA. The tool is available for free and has unfortunately been used so many times by criminals to install malware that it is sometimes mistaken for being dangerous.   The AutoIT script in the file “stt = dsr” from the ZIP archive has an AntiAV technique built in which will put the application to sleep if the process “avastui.exe” is running on the system. It reads out different values from the section “Setting” in the “qoa.docx” configuration file. Afterwards, a randomly named file is created into which one of the detected strings is written. This file is also an obfuscated AutoIT script, 272K in size, and is called “DIENU” in our case. In this file, the string “Settings File Name” is overwritten with the name of the configuration file “qoa.docx”. Then the script sets the attributes of all extracted files to “hidden” and “read only” to make them as inconspicuous as possible. AutoIT is started and the created “DIENU” script, which uses “qoa.docx” as a configuration file, is passed to AutoIT.  

Intelligent system check before installing NanoCore

  The “DIENU” script makes some changes to the system, such as changing the system configuration and registry entries. It tries to find out if it is running in a VMware or Virtualbox Sandbox. If so, the script aborts to avoid potential analysis. Subsequently, the Remote Access Trojan is installed by injecting malicious code into the process memory of RegSvcs.exe – a .NET tool designed to install services. This technique is often used to hide malware in legitimate programs.  
NanoCore's System Instrusion

Functional sequence of the NanoCore attack


Flexibility of NanoCore through modular design

  NanoCore has a modular structure. The respective plugins, which can be switched on and off independently, are described in detail in an article by DigiTrust. Two plugins were used in this attack: the client plugin in version and the surveillance plugin with product version number   The plugins were written as library files “ClientPlugin.dll” and “SurveillanceExClientPlugin.dll” for .NET and obfuscated with the tool “Eazfuscator.NET 3.3”. The methods have the attributes “DebuggerHiddenAttribute” and “DebuggerNonUserCode”, to complicate the analysis with a debugger. This prohibits debugging these methods and setting breakpoints.  


  The client plugin is the basic element that handles communication with the command-and-control server and the management of collected information in a key/value collection. The information can optionally be compressed and send to the C2 server via pipe. The client also has options to change settings, uninstall plugins as well as uninstall and control the host computer, such as shutting it down, restarting it, or disabling security mechanisms.  


  The surveillance plugin comes with all sorts of features for spying on the victim. This allows the attacker to collect passwords, logs and DNS records. The host computer is remotely controllable, and recordings of key inputs, the microphone, or the webcam can be recorded.   The Surveillance Plugin can receive four commands:  
  1. Password: SendTools, EmailClient, InternetBrowser
  2. Logging: (KeyboardLogging, ApplicationLogging, DNSLogging, GetLogs, DeleteLogs, ExportLogs, ViewLogs)
  3. Keyboard: Write, Download, LogToServer
  4. Dns: GetRecords
  Generally speaking, it is a comprehensive toolkit to remotely control and monitor the infected computer.  

No getting through thanks to Hornetsecurity ATP

  As sophisticated as the obfuscation methods of this NanoCore attack are, the true intent of the tool is recognized by the behavioral analysis of the Hornetsecurity ATP Sandbox. It recognizes both the unpacking of the files, the creation of new files, the process injection of the NanoCore DLLs into a legitimate process, the modification of the registry entries as well as the network communication.  
Analysis activities of Hornetsecurity ATP

Analysis activities of Hornetsecurity ATP


Indicators of Compromise

  Die folgenden Dateien mit ihren sha256-Hashwerten wurden in dem Angriff verwendet. Da AutoIT eine legitime Software ist, führen wir das Tool hier nicht mit auf.  
  • inquiry.pdf** 9c5d693e7c86f8f0c05af495d95a9d6f998ec93bec5c6f8d560d54f8a945f866
  •** e0d88bab6749297eb1c03ec1e86bb0d9b7e53d10de8c05dcde032e5f040d03a2
  • inquiry.scr** 4a71602852c7a1a2b3c3c9690af9a96b57c622b459e4fff4f34d43c698b034b8
  • DIENU** 5612ac210a8df891f9ed07c5a472beb0d78f1f714f9f37e31320ec1edbc41d9c
  • SurveillanceExClientPlugin.dll** 01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354
  • ClientPlugin.dll** 61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403
  • qoa.docx** f36603bf7558384d57a9f53dfcd1e727bd6f56d4a664671f06fd5ca1383413d0
  • stt=dsr** 6236beb6702dd8396339fdad8c4539d7e177733a0f7cff1ded06f060895feac1
  Domain from which the zip archive was downloaded: htXp://