Orange Cyberdefense’s CyberSOC explains here its methods for detecting malware by Artefacts. Focus on the specific case of Nanocore.
Our malware detection methods
One of the missions of our CyberSOC is to detect the presence of malware in the information system (IS) of our customers. There are many methods and strategies to achieve this objective. Such as detection based on Threat Intelligence , which consists in particular of raising an alert. In the event of a connection. To a network indicator that is unfavorab known.
The disadvantage of this technique is that it relies on static elements and that, even if successful, it lacks a context to qualify the incident. To overcome this defect, our CyberSOC develops detection rules based on a list of patterns or on behaviors and operating modes specific to certain malware. This method thus makes it possible to qualify the threat as soon. It is detected by the SIEM it involves ensuring permanent monitoring. To keep this list up to date and to adapt it. To the specific environment of the networks to be monitored.
Who is Nanocore?
Nanocore, (MITER ATT&CK S0336), is a widespread RAT (Remote Access Trojan) malware that has been used for many years by different attacker profiles. “Customizable” thanks to numerous plugins. It is coded in “.Net” and available for around twenty US dollars. Its source code has been posted on various specialized forum. Which also contributes to its popularity.
Designing a detection rule
There are several ways to detect this malware, the easiest being to watch for a run.dat file to be created in the user’s AppData\Roaming\{GUID} directory , which is typical behavior for this malware.
Figure 2: VirusTotal result for sample bfc803c89604e9adb4572d2a752bfc0e77aa3181c321768081f47b8e1ebc7d53 – source: VirusTotal
If this method seems simple and effective, it is however not necessarily applicable to all the contexts of our customers. Monitoring the creation of files implies the presence of an EDR, or at least, of Sysmon. Although they are increasingly used. The activity logs of these solutions are only very rarely collected in the SIEM. Because they are extremely verbose, and therefore expensive.
CyberSOC team
has therefore thought about an alternative technique based on the data generally collected by SIEMs but also the significant artifacts generated by malware activities. The choice fell on the Windows security logs and more particularly the event 4657 – A registry values was modified. This event records any creation, modification or deletion of registry key values. However, this monitoring must be activated (via GPO for example).
Based on running reports of samples of Nanocore from a public sandbox, we find that for all these samples the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TCP Monitor is created. Its value is the path to the tcpmon.exe executable . Note that this executable is located in a directory named TCP Monitor .
This could be a detection pattern. However, by running these same samples in the sandbox developed by Orange Cyberdefense (P2A), we realize that the name of the key and its value differ: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NAS Host having the value path to the nashost.exe executable . The same behavior is observed: the executable is also located in a directory. Corresponding to the name of the key (NAS Host).
This behavior aroused our curiosity; our assumption being that the malware code contains a list of values. A function then being responsible for drawing one of these values according to elements of the machine.
Nanocore Reverse Engineering
This post does not aim to detail the reverse of Nanocore, a subject that is already the subject of numerous publications, but to focus on the functions allowing to understand how the Run key is named and its value.
A simple static search on the “Monitor” pattern allows us to identify a Structs-type constructor containing arrays of String-type variables within which we find the different observed values.
Figure 3: excerpt from the code containing the tables of variables – Source: Orange Cyberdefense CyberSOC