NanoCore RAT Attack Windows Using Task Scheduler to Captures keystrokes, screenshots

NanoCore, a notorious Remote Access Trojan (RAT), continues to pose a significant threat to Windows systems.

This malware, known for its espionage capabilities and modular design, is being leveraged by cybercriminals to exfiltrate sensitive data, control infected systems, and maintain persistence using advanced techniques.

A recent analysis of a NanoCore sample (MD5 hash: 18B476D37244CB0B435D7B06912E9193) sheds light on its sophisticated behavior and attack mechanisms.

Behavioral Analysis

NanoCore RAT employs multiple methods to ensure its persistence on compromised systems.

Upon execution, it copies itself into hidden directories and modifies the Windows registry.

Specifically, it creates an entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute its payload (saasmon.exe) during startup.

Additionally, it uses the Windows Task Scheduler (schtasks.exe) to create scheduled tasks, further solidifying its foothold on the system.

The malware also establishes directories in locations such as C:\Program Files (x86)\SAAS Monitor and C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED.

According to the Malware Analysis, these directories store its components, including keylog files and other exfiltrated data.

Data Exfiltration

NanoCore’s primary objective is data theft and espionage.

It captures keystrokes, screenshots, and clipboard content, storing them locally before sending them to a Command-and-Control (C2) server.

During dynamic analysis, the malware was observed communicating with simpletest.ddns.net over port 9632.

It also uses Google DNS (8.8.8.8) for connectivity checks. The RAT’s modular plugin system enhances its spying capabilities.

For instance, the “SurveillanceEx” plugin enables attackers to monitor victims more effectively by recording user activity in real time.

To evade detection and hinder analysis, NanoCore employs obfuscation techniques such as Eazfuscator.

Analysts used tools like de4dot to deobfuscate the malware, revealing its internal logic and class structures.

String analysis uncovered commands related to task scheduling and C2 communication, further confirming its malicious intent.

Indicators of Compromise (IOCs)

• File Hash: 18B476D37244CB0B435D7B06912E9193
• Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\saasmon.exe
• File System Changes:
• C:\Program Files (x86)\SAAS Monitor\saasmon.exe
• C:\Users\User\AppData\Roaming\81E42A3A-6BA0-4784-B7EC-E653E9E1A8ED
• Network Indicators:
• C2 Domain: simpletest.ddns.net
• Port: 9632

NanoCore RAT remains a potent threat due to its adaptability and extensive feature set.

Its use of Windows Task Scheduler for persistence, combined with advanced espionage capabilities, makes it a preferred tool for cybercriminals targeting sensitive data.

Organizations are advised to monitor network traffic for unusual activity, apply robust endpoint protection solutions, and educate users about phishing risks the primary delivery vector for NanoCore.

By staying vigilant and leveraging proactive security measures, defenders can mitigate the risks posed by this persistent malware family.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free