What is NanoCore, and how does this malware work?

Ray Fernandez

Aug 15, 20235 min read

What is NanoCore, and how does this malware work? Header image

Despite being created about ten years ago, NanoCore is one of the most popular, effective, and dangerous remote access trojans (RAT). But what exactly is NanoCore? Why is it still relevant? And what is the history behind the infamous malware? In this post, we’ll dive into NanoCore and show you how to stay safe.

What is NanoCore?

NanoCore is a type of malware that is coded to remotely access your computer. It breaches devices while concealed as a legitimate download. NanoCore has a lot of tricks under its sleeve. Plus, it can be highly and easily customizable by attackers using plug-and-play modules. It can remotely control, modify, spy on, and damage computers. And it can open backdoors, create botnet and zombie computers, and distribute spam and malware. NanoCore is like a hacker’s swiss knife.

Who created the NanoCore malware?

The history of NanoCore is as fascinating as its capabilities. Taylor Huddleston, a U.S.-born programmer from Hot Springs, Arkansas, was 26 years old when the FBI arrested him for aiding and abetting computing intrusions. But by then, the reputation of NanoCore was well established. It had been used internationally in hundreds of thousands of cyber attacks.

Taylor released the first alpha version of NanoCore in early 2013 on the dark web and sold it for about $25. The malware was cracked and leaked for free in underground forums. This is one of the reasons why the use of NanoCore in attacks skyrocketed. Criminals could get their hands on a customizable remote access trojan for free.

Every version that followed — including the beta versions of 2014 and the full version with premium plug-ins of 2015 — was also cracked and released for free. Subsequently, the NanoCore community was created. And since then, they have shared the malware’s different versions and a wide range of plug-ins.

How the NanoCore RAT works

Once NanoCore downloads, it self-executes and begins changing settings in a computer to take full control of it. Depending on what the hacker has coded it to do, it can launch a virus, spread through a network, act as spyware, or run an attack.

It can target Mac and Windows users alike. The malware runs undetected in the background. Like any RAT, it connects to the hacker´s command-and-control server. This gives the attacker complete command over your computer or device.

How NanoCore is delivered

There are different ways in which NanoCore can breach a device. However, all of them require that a user download the program or click on a link that runs the execution. NanoCore is a trojan, and as such, it will hide behind another file that the victim agrees to download. Once the download begins, NanoCore unpacks in the background while the other “legitimate” file acts as a decoy.

The most common way cybercriminals distribute NanoCore is through spam email and phishing campaigns. Hackers will draft emails that contain attachments faking invoices or price catalogs. This requires social engineering skills. In other words, emails must look legitimate and compelling enough to convince users to open them, read them, and then download the attachment.

NanoCore email attachment files can be:

  • .doc files
  • .pdf files
  • Zip files
  • ISO images
  • PowerPoint documents
  • .img files

NanoCore files are usually large. And as a result, it’s harder for antimalware and antivirus software to scan infected attachments before the user downloads them.

The RAT can also be distributed through website downloads, SMS, links shared on social media, and any other channel associated with phishing, smishing, or vishing.

The damage NanoCore can do

NanoCore can severely impact your devices, your digital life, your company, and the international security environment. While this malware is only designed to remotely control a device, with added modules, it can basically execute any type of attack. It can be used to relay and receive commands. Plus, when used in combination with other hacked computers, it can become part of a botnet.

Possible threats include:

  • Spyware
  • Keyloggers
  • Adware
  • Browser hijackers
  • Data theft
  • Data exfiltration
  • Ransomware
  • Use of computers for crypto mining.
  • Creation of botnets to launch DDoS or spam attacks
  • Spreading of malware and viruses
  • Spreading through networks
  • Encrypting and making changes to data and settings

How to protect yourself and your employer from a NanoCore attack

The best protection again any malware that breaches computers, systems, or devices through social engineering is with solid cybersecurity awareness. Knowing how malware works and spreads, and what it can do, allows you to stay ahead of the attacker. Here are some ways to protect yourself and your organization.

Never open suspicious attachments

You may get an email that appears to be from your boss or from someone who just happens to have the latest information on something that interests you. But as a rule of thumb, never open an attachment without taking precautions.

Before opening any email attachment, scan the file with your antimalware program and verify the source. Look carefully into the email, the address, the subject, and the content. Is it written without spelling mistakes? Does anything seem off about it? Is the attachment unusually large? If that is the case, do not even think about opening the attachment. Delete the email, block it, and report the sender.

How many links do you click in one week? The answer is surely a lot. And that’s exactly what cybercriminals are counting on when they launch malware distribution campaigns. So always think twice before clicking on a link, no matter where you got it from.

Be especially suspicious of any link sent to you by a stranger. Check the link itself. Does the address look legitimate? Remember, it only takes one click on the wrong link.

Firewall up, security updates on, and a trusted antimalware

Fortunately, there is one downside to being a famous RAT, and NanoCore knows it. Because this malware has been around for so long, all top security programs understand how it works and what it looks like. This means that if you keep your firewalls activated, your security updates toggled to on, and your antimalware running in the background, the chances of this malware getting through your system without being flagged are slim.

However, remember that no matter how good your antivirus and security posture is, that does not mean you should open attachments or download files. Caution and common sense are your best friends.

NanoCore is still one of the most-used RATs in the world. It is free and has the support of a community of hackers that are constantly developing new tools to launch attacks. But while this malware may sound threatening, intimidating, and unstoppable, it has a key weakness. It can only install if you are tricked into downloading it.

Ray Fernandez Ray Fernandez
Ray has been covering tech and cybersecurity for over 15 years. His work has appeared on TechRepublic, VentureBeat, Forbes, Entrepreneur, and the Microsoft Blog, among others.