Yoroi-ZLab: Cybercrime is attacking Italy with Nanocore Remote Administrator Tools (RAT), protected by a Delphi wrapper
Cybercrime is attacking Italy with a particular sample of the famous Nanocore Remote Administrator Tools (RAT): a Delphi wrapper. It was used to protect the RAT. Yoroi-Cybaze ZLab cyber security experts analyzed the threat, especially against Italian companies operating in the Luxury sector, to understand how it works. The infection vector is a malicious email claiming to come from a well known Italian Bank. The attachment looks like a 7z archive file, containing a valid PE file with Adobe Acrobat icon. Trivial trick used to lure ingenuous users to believe that it is a legit PDF file. However, it contains a PE executable. This was compiled with “BobSoft Mini Delphi” compiler and two characteristics are significant: the first one is the high level of entropy, and the second one is the absolutely fake compilation timestamp of the executable.
The cyber security experts: How the malware attack works
According to the cyber security experts, the malware performs some checks in order to evade Italia companies analysis boxes. If no process is active, it can proceed with the real infection: it writes the real payload of Nanocore RAT in the “%TEMP%” folder. This one is merely embedded inside a resource without any encryption or obfuscation. Furthermore, the “trasferimento.exe” Delphi wrapper has got a lot of embedded resources, and one of them contains the entire Nanocore RAT payload. The component runs a scheduled task, in order to guarantee its persistence. At this point the cybercrime malicious code creates a xml file with a pseudo-random name containing the configuration for its persistence on the machine. After this, it spawns the “non.exe” process and then re-spawn itself. It seems to be a sort of a survival mechanism in which both processes work and keep the infection alive.
The RAT leverages encrypted configuration only decrypted during the malware execution and the persistence is guaranteed by the scheduled task handled by the external wrapper
Yoroi-ZLab revealed that the “non.exe” file is the Nanocore RAT Client. The de-compiled code is quite obfuscated and encrypted with some custom routines. But, the real nature of the payload is revealed after few steps of debugging. The cyber security researchers found a recurrent routine used to decrypt RAT’s static strings and the malware configuration too. Like other crimeware, also this one leverages encrypted configuration only decrypted during the malware execution. Interestingly, the extracted configuration does not include persistence, which is however guaranteed by the scheduled task handled by the external wrapper. Furtermore, The client has some interesting enabled features, like the capability to bypass the UAC control, or prevent the system to go to sleep. Moreover, the primary and backup C2 are the same and the solution of the backup C2 is guaranteed through the other “trasferimento.exe” RAT mode process.