Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 270: UNDERSTANDING THE RISK OF NANOCORE
Reference Number ACG-CSB 101722270
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
A high-risk Remote Acess Trojan (RAT) called NanoCore gives attackers information about the OS and name of the target device. This information is used to carry out a variety of harmful activities, including modifying private files, obtaining login credentials, and taking control of webcams and microphones.
Base plugins included with NanoCore increase the malware's performance capacity and encourage targeted malicious attacks. NanoCore has undergone numerous iterations since its discovery in 2013.
Malware is often created for a single kind of attack. However, NanoCore gives hackers complete, anonymous control over compromised devices, allowing them to pretty much do whatever they want.
Through the spoofing of email addresses belonging to a genuine South Korean oil company, targeted emails were sent in 2015 to energy companies in Asia and the Middle East. A malicious RTF file that included the NanoCore virus was attached to the email. This chronology demonstrates how NanoCore was used, ultimately putting the Office 365 data of the victims at danger.
Typically, NanoCore malware is distributed by spam emails with malicious attachments like MS Office files. However, because of sophisticated spam filters, fraudsters are forced to get inventive, and you can be sure they are looking everywhere.
The license for NanoCore is available on the dark web. As a result, any aspiring cybercriminal can buy and distribute this malware. As previously stated, this malware is primarily distributed via spam email campaigns. Cybercriminals send deceptive emails with a variety of messages.
Some claim that users must pay taxes, while others claim that packages have been delivered, and so on. Finally, all of them encourage users to open attached files, which could be MS Office documents, executable images, archives, or something else. Opening them allows viruses like NanoCore to infiltrate. It should be noted that NanoCore is a remote access tool (RAT).
As a result, the 'threat actor' (the person or third party who distributes the malware) has remote control over the infected system. Furthermore, because this malware is modular, anyone can expand and configure its functionality.
RATs are commonly used by cybercriminals to inject other viruses, perform dubious tasks, and steal information (saved logins/passwords, etc.). Remote access tools, for example, can be used to infiltrate ransomware, information-tracking trojans, and other similar malware. The system could also be used for botnet attacks, crypto-mining, and other tasks.
As a result, having a RAT installed on your computer can result in a variety of issues such as significant financial/data losses, privacy concerns, hardware damage, decreased system performance, and so on.
All PNP personnel as well as the public are advised to follow these tips to avoid being a victim of NanoCore attacks:
- Ensure that your security software and operating system are up to date;
- Ensure that your device’s firewall is active;
- Only download apps and software from sources you can trust;
- Cover your webcam when not in use;
- Regularly back-up your data;
- Be wary while browsing the internet and do not click on suspicious links, pop ups or dialogue boxes;
- Keep your web browser up to date and configured to alert you whenever a new window is opened or anything is downloaded; and
- Do not click on links or attachments within unexpected or suspicious emails.
For additional information, please refer to the following websites:
POINT OF CONTACT