Malscape Snapshot: K-12

Malscape Snapshot: K-12

Are you checking DDNS requests? Because it could be NanoCore.

Lastline sequences and indexes millions of submissions to our Global Threat Intelligence Network (GTIN) on a weekly basis. Here we present a snapshot of the latest 100 malware samples that, through sampling telemetry from our GTIN, have a reference or link to the K-12 school environment (see Figure 1).

The latest 100 threats referencing K-12 environments.

Figure 1: The latest 100 threats referencing K-12 environments

The profile of AntiVirus labels for the latest threats linked to K-12 environments is remarkably consistent with the overall pattern of detections we see on a global basis. The majority of threats at time of submission are essentially new variants of existing threats. The files receive an “Unclassified” label because these unique file hashes have not been seen before on virus submission portals and therefore signatures do not yet exist.

For those threats with file hashes that have been submitted before, the next largest category of AntiVirus label is detection based on generic attributes that a file is malicious. “Trojan.Injector”, “Trojan.Generic”, “Suspicious.generic” are placeholder names for static analysis attributes of malicious files, but they provide very little information about the nature and scope of the threat and the risk it poses to an environment. The largest explicitly identified threat at Twenty-one percent of the malicious files detected are labeled as NanoCore, an infamous and highly functional Remote Access Trojan.

A Brief History of NanoCore

According to recent court documents, Taylor Huddleston, 27, of Hot Springs, Arkansas, developed, administered, marketed, and distributed two products that are extremely popular with cybercriminals around the world. According to the court’s announcement of trial results, “The first is the ‘NanoCore RAT,’ which is a type of malicious software, or ‘malware,’ that is used to steal information from victim computers, including sensitive information such as passwords, emails, and instant messages. The NanoCore RAT even allowed users to surreptitiously activate the webcams of infected computers in order to spy on the victims. Huddleston’s NanoCore RAT was used to infect and attempt to infect over 100,000 computers.”

A federal court in Virginia sentenced the developer of NanoCore to 33 months jail. In a statement of facts signed by the defendant, he confirmed that from 2013 to 2016 he marketed NanoCore on dark market forums. He agreed with prosecutors that NanoCore offered many features including:

  1. A keylogger that allowed customers to record all keystrokes typed
  2. A password stealer that extracted passwords saved and sent them over the Internet to the customer
  3. The ability for customers to remotely turn on webcams and spy
  4. The ability to view, delete, and download files
  5. The ability to lock infected computers until users paid customers a ransom
  6. A “booter” or “stressor” that allowed infected computers to participate in distributed denial-of-service attacks

The statement of facts, signed on July 25, 2017, said:

By developing NanoCore and distributing it to hundreds of people, some of whom he knew intended to use it for malicious purposes, Huddleston knowingly and intentionally aided and abetted thousands of unlawful computer intrusions and attempted unlawful computer intrusions, including intrusions and attempted intrusions that occurred within the Eastern District of Virginia… Huddleston agrees the evidence would show that NanoCore was used in a massive ‘spear phishing’ scheme designed to infect and attempt to infect thousands of victim computers, including computers within the Eastern District of Virginia.

Figure 2 shows the top level menu of the user interface of NanoCore from where all the features are accessed, highlighting surveillance features including recover passwords and monitor keyboard. In addition to the base functionality, the NanoCore ‘community’ has created additional plugins to expand the capabilities of this tool, including cryptomining.

NanoCore user interface showing surveillance features.

Figure 2: The NanoCore user interface showing surveillance features

Figure 3 shows how NanoCore outputs the captured browser credentials from the victim’s system.

NanoCore outputs the captured browser credentials from the victim system.

Figure 3: NanoCore outputs the captured browser credentials from the victim’s system

As shown in Figure 4 below, NanoCore even has a rudimentary ransom capability.

NanoCore ransomware capability.

Figure 4: NanoCore ransomware capability

Mapping Behavioral Analysis to Malware Code Functions

Figure 5 shows the behavioral overview displayed by Lastline Enterprise and Lastline Breach Defender products. On the left side of the graphic are the individual behaviors identified in the malware sample, with arrows corresponding to the user-defined features in the NanoCore interface.

In the absence of labeling or explicitly identifying a piece of malware, the extracted behaviors allow you to build an accurate assessment of the threat and required remediation action.

 Lastline behavioral analysis and corresponding NanoCore features.

Figure 5: Lastline behavioral analysis and corresponding NanoCore features

What is Dynamic DNS?

Behavioral intelligence extracts not just the potential behaviors but also the actual activity of the malware, including attempted communication with command and control infrastructure. This linkage allows us to not only increase the accuracy of any incident response action but also allows us to build timely and relevant threat intelligence against any future attacks.

Figure 6 shows the command and control attempts for the latest 100 K-12 threats sampled by Lastline.

Dynamic DNS hosts used by NanoCore and similar RATS.

Figure 6. The Dynamic DNS hosts used by NanoCore and similar RATS

The vast majority of attempted network behavior is connecting back to dynamic domain name system entries. Dynamic DNS offers network administrators, home users, and cybercriminals the ability to manage systems remotely in spite of changing IP addresses.

dyn.com provides a good summary of DDNS:

Dynamic DNS, also known as DDNS, solves the problem of ever changing residential IP addresses by associating your address with a consistent domain name without the need to buy a pricey static IP. Having a home IP address is not as simple as having a business IP address. When you become a residential customer of an ISP, they provide you with an IP address so you can access the internet from your home. However, these dynamic IP addresses frequently change, as the ISP manages their own online systems. This makes it difficult to utilize your residential IP address with other services (webcam, security camera, thermostat, etc.) as the address continues to change without notice. Thankfully, Dynamic DNS can help by assigning a custom domain name to your home IP address that will update automatically as your home IP continues to change.

Malware authors use it in exactly the same way as network administrators and home users. It allows them to retain control of a victim by connecting the malware on the victim’s system to a “C2.DDNS.com” address, providing greater survivability for command and control in absence of the threat actor not being able to control IP ranges. Or not wanting to control IP ranges, for the purposes of attribution avoidance and denial.

How Many of the Unclassified Samples are NanoCore?

Let’s circle back to the overall picture of the latest 100 threats referencing K-12 schools, having now gained intelligence of the type of behaviors seen by NanoCore malware samples in this recent time frame. Figure 7 shows all the extracted behaviors by popularity across the entire sample set.

The most popular NanoCore functionality across all samples.

Figure 7: The most popular NanoCore functionality across all samples

We cross-referenced the behaviors seen across all samples to the behaviors seen in a NanoCore analysis. We can see that there is a great deal of overlap between the unclassified and generically classified samples and the explicitly identified NanoCore sample (see Figure 8). The same behaviors are shared in 80 of the 100 samples.

Occurrences of NanoCore behavior across the total sample set.

Figure 8: Occurrences of NanoCore behavior across the total sample set

Conclusion

Having now used behavioral intelligence to learn about the capabilities of one malware threat and subsequently used this information to look for connections and commonalities to unclassified, generic threats, we conclude that in this particular time window, we have captured an outbreak of NanoCore payloads that reference K-12 environments. Even though the majority of AntiVirus tools in 79 out of 100 samples have either no equivalent signature or only a heuristic detection, the displayed behaviors and command and control commonalities across the samples link 80 percent of them to a common payload, NanoCore. K-12 environments need to watch their logs for connections requesting a DDNS domain.

For help identifying DDNS connections in your environment contact threatintel@lastline.com.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton

Latest posts by Andy Norton (see all)