The US records most of the infections, followed by Canada

Mar 24, 2015 13:02 GMT  ·  By

A full version, complete with premium plug-ins, of NanoCore remote access Trojan (RAT) has been leaked earlier this month and now security researchers see it used in targeted attacks against several energy companies.

Multiple variants of NanoCore, in different stages of development, have been leaked since cybercriminals started to work on it, in 2013.

NanoCore leaks occurred since it was in alpha

The first release that became freely available on underground forums was in alpha stage, in December 2013, when much of its functionality was incomplete and new features were still to be integrated.

Since then, four beta versions were leaked by multiple sources, ending with the fully functional build 1.2.2.0 being dumped on cybercriminal websites in March 2015. It is worth noting that the price of this tool is on the lower end, its developers asking $25 / €23 for a copy.

Security researchers from Symantec tracked its activity from the beginning and, as expected, recorded an increased number of detections in the immediate period following the free availability of NanoCore.

Spear-phishing and a vulnerability from 2012

The targeted attacks started on March 6, Symantec’s Lionel Payet writes in a blog post on Monday, and they aim at energy companies in Asia and the Middle East.

According to the analysis, the cybercriminals impersonate the address of a legitimate oil company in South Korea in order to add credibility to the fraudulent message.

The Trojan is delivered by a malicious RTF or a Word file that exploits an old vulnerability (CVE-2012-0158) in Microsoft Windows Common Controls ActiveX component MSCOMCTL.OCX, which is present in multiple older products from the software giant. Among them, there is SQL Server 2005/2008 and Office 2003 through 2010.

The text document purports to inform the recipient of revisions to the current contract between the two parties. The subject of the message and the body incite to opening the document, thus compromising the machine.

Less experienced crooks can now use it

Payet says that the cracked variant of NanoCore is currently available not just on the dark web, but also on the visible side of the Internet.

“That means it’s not just the more experienced cybercriminals who can easily access this malware for free, but also script kiddies eager to start their cybercriminal careers,” he says.

As per telemetry information collected by Symantec from January 2014 until March 2015, most of the NanoCore infections have been seen in the US (40%), followed by Canada (14%) and Singapore (9%).

Top ten countries affected by NanoCore since January 2014
Top ten countries affected by NanoCore since January 2014

Photo Gallery (2 Images)

Fraudulent email sent to victims
Top ten countries affected by NanoCore since January 2014
Open gallery