Recently, the Proofpoint Threat Insight team observed a mid-volume email campaign using fake invoices as bait.
In this recent campaign, our researchers identified two elements that are particularly noteworthy.
NanoCore: a campaign targeting the industry
First, while this campaign targeted many industries. Our researchers found that the attackers targeted the manufacturing sector far more than any other industry. In particular, our researchers saw a month-long campaign in October targeting the manufacturing industry in Germany.
Second, the goal of these attacks was to implant. Remote Access Trojan (RAT) known as “NanoCore” on the compromised systems. NanoCore is malware marketed on underground forums for the price of US$19.99. This low price, combined with a design focused on ease of use. Means that attackers can inexpensively get started with NanoCore and quickly begin using it in malware campaigns. This has contributed to the prevalence of NanoCore for many years among many threat actors. Even before we began to observe a more widespread distribution of RAT over the past 18 months.
Additionally, the manufacturing industry, with its complex supply chains and often sprawling network infrastructure, is an attractive and potentially lucrative industry that is at risk of being infected and exploited through Nanocore and other malware.
How does the Nanocore Encrypt attack work?
Although this attack campaign was not exclusively industry-focused, our researchers found that the manufacturing industry was by far the preferred target in this campaign.
This campaign started by sending a fake invoice to the target, like the one shown in Figure 1.
Fake NanoCore invoice
In Figure 2 you can see a fake Nanocore invoice in German.
German NanoCore Lure
The attacks our researchers saw used a combination of malicious attachments and URLs. The malicious attachments contained a compressed executable (using “.Z” extensions) while the malicious links led the recipient to download the malware hosted on onedrive.live.com.
The attack sequence is shown in Figure 3.
Figure 3: Nanocore Attack Sequence
Once the user clicks on the link and downloads the executable or runs the attachment, the NanoCore RAT would then be installed on their system.
As a remote access Trojan, once NanoCore is installed, its capabilities include the ability to perform live and offline keylogging, execute arbitrary shell commands, take screenshots of desktops, and webcams, and download arbitrary files. Basically, NanoCore gives the attacker complete control of the system, usually without the knowledge of the victim, and a permanent presence on the network.
NanoCore: features and source code
NanoCore is not unique in its capabilities: they are common to most RATs. However, NanoCore stands out for its low cost and ease of use.
Proofpoint’s Threat Insight team found NanoCore for sale on underground forums for as little as US$19.99, a relatively low price for crimeware.
In addition to its low cost, NanoCore offers relative ease of use. Figure 4 shows the NanoCore control panel. Here you can see the variety of tools and capabilities that NanoCore provides to the attacker once a system is compromised.
NanoCore: what threat for the industry?
NanoCore’s low cost and ease of use have kept it in the market. It continues to be used for malicious purposes, giving an attacker great control and continued presence on a network after a successful attack.
Overall, Proofpoint’s Threat Insight team found general trends favoring the use of RATs after successful attacks. This can be explained by the fact that RATs provide a continuous presence and give attackers the greatest possible flexibility to take advantage of compromised systems and exploit them.
This recent campaign using NanoCore is part of this trend.
The fact that attackers are focusing on manufacturing in these attacks should serve. As a call to action for companies in this sector to increase their vigilance. As we see in these attacks, the use of credible bills as bait shows that while these attackers are not necessarily spending a lot of money on the tools of their attacks. They bring a level of commercial sophistication that must come with an equal level of alertness.